SMT Workshop 2012 10th International Workshop on Satis ... · presentation-only papers, to provide...

SMT Workshop 201210th International Workshop on Satisfiability Modulo

Theories

SMT-COMP 2012

June 30 & July 1, 2012

Affiliated with the 6th International Joint Conference onAutomated Reasoning (IJCAR 2012)

Manchester, United Kingdom

http://smt2012.loria.fr/

Preface

This volume contains the papers presented at the tenth edition of the International Workshopon Satisfiability Modulo Theories (SMT-2012). The workshop was held on June 30 and July 1,2012, in Manchester, UK, in association with the Sixth International Joint Conference onAutomated Reasoning (IJCAR-2012), as part of the Alan Turing Year 2012, held just after TheAlan Turing Centenary Conference.

After ten years of this series of workshops, the SMT paradigm for determining the satisfia-bility of first-order formulas modulo background theories is still developing fast, and interest inSMT solving is increasing, probably faster than ever. The SMT Workshop is certainly the mainannual event of the community, where both researchers and users of SMT technology can meetand discuss new theoretical ideas, implementation and evaluation techniques, and applications.

In order to facilitate more exploration and increased discussion of newer ideas, this year weinvited submissions in three categories:

• extended abstracts, to present preliminary reports of work in progress;

• original papers, to describe original and mature research (simultaneous submissions werenot allowed);

• presentation-only papers, to provide additional access to important developments thatSMT Workshop attendees may be unaware of. These works may have been recentlypublished or submitted.

Papers were solicited on topics that include all aspects of Satisfiability Modulo Theorysolving. More specifically, some suggested topics were:

• Decision procedures and theories of interest

• Combinations of decision procedures

• Novel implementation techniques

• Benchmarks and evaluation methodologies

• Applications and case studies

• Theoretical results

We received thirteen papers. Each submission was reviewed by three program committee mem-bers. Due to the quality of and interest in the submissions, and in keeping with the desire toencourage presentation and discussion of works in progress, we were able to accept all contri-butions for presentation at the workshop.

We would like to thank the program committee and the reviewers for their work. We arevery grateful to the IJCAR organizers for their support and for hosting the workshop, and areindebted to the EasyChair team for the availability of the EasyChair Conference System.

June 2012 Pascal Fontaine and Amit Goel

II

Program Committee

• Clark Barrett (New York University)

• Nikolaj Bjørner (Microsoft)

• Roberto Bruttomesso (Atrenta)

• Sylvain Conchon (LRI & University of Paris-Sud)

• Bruno Dutertre (SRI)

• Pascal Fontaine (INRIA, University of Nancy), co-chair

• Vijay Ganesh (MIT)

• Amit Goel (Intel), co-chair

• Franjo Ivancic (NEC)

• Sava Krstic (Intel)

• Viktor Kuncak (EPFL)

• Shuvendu Lahiri (Microsoft)

• Ken McMillan (Microsoft)

• Roberto Sebastiani (University of Trento)

• Cesare Tinelli (The University of Iowa)

External reviewers

• Kshitij Bansal

• Scott Cotton

• Morgan Deters

• Liana Hadarean

III

Table of Contents

Invited talks

Practical Aspects of SAT Solving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Armin Biere

The Architecture of Inference from SMT to ETB . . . . . . . . . . . . . . . . . . . . . . . 2Natarajan Shankar

Original papers

Program Verification as Satisfiability Modulo Theories . . . . . . . . . . . . . . . . . . . . 3Nikolaj Bjorner, Kenneth McMillan and Andrey Rybalchenko

Built-in Treatment of an Axiomatic Floating-Point Theory for SMT Solvers . . . . . . . . 12Sylvain Conchon, Guillaume Melquiond, Cody Roux and Mohamed Iguernelala

Reasoning with Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Claire Dross, Sylvain Conchon, Johannes Kanig and Andrei Paskevich

SMT-Based System Verification with DVF . . . . . . . . . . . . . . . . . . . . . . . . . . 32Amit Goel, Sava Krstic, Rebekah Leslie and Mark Tuttle

On the Complexity of Fixed-Size Bit-Vector Logics with Binary Encoded Bit-Width . . . 44Gergely Kovasznai, Andreas Frohlich and Armin Biere

Extended abstracts and Works in progress

A Machine Learning Technique for Hardness Estimation of QFBV SMT Problems . . . . 56Mohammad Abdul Aziz, Amr Wassal and Nevine Darwish

Reachability Modulo Theory Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Francesco Alberti, Roberto Bruttomesso, Silvio Ghilardi, Silvio Ranise and NatashaSharygina

An SMT-LIB Format for Sequences and Regular Expressions . . . . . . . . . . . . . . . . 76Nikolaj Bjorner, Vijay Ganesh, Raphael Michel and Margus Veanes

Exotic Semi-Ring Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Michael Codish, Yoav Fekete, Carsten Fuhs, Jurgen Giesl and Johannes Waldmann

A Theory of Arrays with set and copy Operations . . . . . . . . . . . . . . . . . . . . . . 97Stephan Falke, Carsten Sinz and Florian Merz

An SMT-based approach to automated configuration . . . . . . . . . . . . . . . . . . . . . 107Raphael Michel, Vijay Ganesh, Arnaud Hubaux and Patrick Heymans

Anatomy of Alternating Quantifier Satisfiability . . . . . . . . . . . . . . . . . . . . . . . 118Anh-Dung Phan, Nikolaj Bjørner and David Monniaux

Presentation only

Instantiation-Based Invariant DiscoveryTemesghen Kahsai, Yeting Ge and Cesare Tinelli

IV

Practical Aspects of SAT SolvingArmin Biere

Johannes-Kepler-Universitat Linz, Austria

Abstract

SAT solving techniques are used in many automated reasoning engines. This talkgives an overview on recent developments in practical aspects of SAT solver development.Beside improvements of the basic conflict driven clause learning (CDCL) algorithm, wealso discuss improving and integrating advanced preprocessing techniques as inprocessingduring search. The talk concludes with a brief overview on current trends in parallelizingSAT.

Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 1–1 1

The Architecture of Inference from SMT to

ETBNatarajan Shankar

SRI International Computer Science Laboratory

Abstract

Modularity plays a central role in logical reasoning. We want to be able to reuseproofs, proof patterns, theories, and specialized reasoning procedures. Architectures thatsupport modularity have been developed at all levels of inference: SAT solvers, theorysolvers, combination solvers and rewriters, SMT solvers, simplifiers, rewriters, and tactics-based interactive theorem provers. Prior work has mostly focused on fine-grained modularinference. However, with the availability of a diverse range of high-quality inference tools,it has become important to systematically integrate these big components into robusttoolchains. At SRI, we have been developing a framework called the Evidential Tool Bus(ETB) as a distributed platform for the coarse-grained integration of inference componentsinto flexible, scriptable workflows. The talk describes the architecture of ETB along withsome motivating applications.

2 Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 2–2

Program Verification as Satisfiability Modulo

Theories

Nikolaj BjørnerMicrosoft Research

Ken McMillanMicrosoft Research

Andrey RybalchenkoTechnische Universitat Munchen

Abstract

A key driver of SMT over the past decade has been an interchange format, SMT-LIB,and a growing set of benchmarks sharing this common format. SMT-LIB captures verywell an interface that is suitable for many tasks that reduce to solving first-order formulasmodulo theories. Here we propose to extend these benefits into the domain of symbolicsoftware model checking. We make a case that SMT-LIB can be used, and to a limitedextent adapted, for exchanging symbolic software model checking benchmarks. We believethis layer facilitates dividing innovations in modeling, developing program logics and front-ends, from developing algorithms for solving constraints over recursive predicates.

1 SMT and checking properties of recursive predicates

Progress in modern SMT solvers has been driven by a large set of applications in diverseareas. Applications reduce problems to common first-order formats, SMT-LIB [5] and now alsothe THF [13] format in TPTP, for exchanging benchmarks. They benefit from the progress inautomated deduction in SMT solvers and utilize the smorgasbord of theories that are supportedwith efficient and dedicated solvers. Common to SMT solvers is their support for simply typedfirst-order classical logic augmented with theories. They solve satisfiability of formulas overthe supported language. When SMT solvers are used to discharge verification conditions fromprogram verifiers, it is important to be able to check validity, or dually unsatisfiability. WhenSMT solvers are used in dynamic symbolic simulation, the more interesting question is todetermine satisfiability and find a satisfying assignment to formulas. A key driver of progressin these applications has been the ability to exchange problems using standardized and well-defined logics, theories and syntax, especially as embodied in the SMT-LIB standard.

Here we propose to extend these benefits into the domain of symbolic software model check-ing. This problem reduces to the problem of inference of the intermediate specifications re-quired by various proof systems. These specifications can be, for example, loop invariants,procedure summaries, environment assumptions or dependent types. As observed in [6], theinference problem in turn reduces to the problem of satisfiability of a certain class of first-orderconstraints containing unknown relations. These constraints can be produced by existing ver-ification condition generators, which already typically target the SMT-LIB standard. We willargue that, with very slight extensions, SMT-LIB can be adapted to be a standard interchangemedium for software model checking and related problems. The advantage of such an approachis a clean separation of concerns: the interpretation of programming language is left to verifi-cation condition generators, while model checking is handled by purely logic-based tools. Thisseparation could have several benefits. It relieves the algorithm implementer from the needto deal with the complexity of programming languages, it allows implementations to be easilyre-targeted to different languages, and it allows algorithms to be compared directly, withoutconcern for the ambiguity of how programming languages are modeled. At the very least it canbe instrumental for comparing algorithms for checking recursive predicates whether they comefrom software model checking or not.


Program Verification as SMT N. Bjørner, K. McMillan, A. Rybalchenko

In this paper, we propose extensions to SMT-LIB to allow it to be used as an interchangeformat for software model checking benchmarks. We are not alone in suggesting ways of lever-aging SMT-LIB for verifying reactive systems and software. The VMT 1 effort, see also theproceedings for this workshop (SMT 2012), proposes extending SMT-LIB with notation fortransitions. Our suggestion is to utilize Horn clauses as a low-level, but uniform, exchange for-mat. Transition systems and, more generally, push-down systems can be translated into Hornclauses. Of course, Horn clauses can be translated into transition systems by using a theorythat can express stacks. The Numerical Transition Systems Library also aims to identify aninterchange format for transition systems. We aim to provide a basis for comparing varioustools that work on various incarnations of recursive predicates, such as [14, 2, 3, 8, 1].

2 Program verification Tool work-flow

A proof system gives us rules for decomposing the proof of a complex goal into proofs of simplersub-goals. These rules are typically non-deterministic, requiring us to instantiate some auxiliaryconstruct. Consider, for example, the proof rule for sequential compositions in Hoare logic:

P s1 Q s2 RP s1; s2 R

Here, the intermediate assertion Q is the auxiliary construct that must be instantiated in orderto decompose the proof. The decomposition yields two sub-goals above the line, one involvings1 and the other involving s2. The difficulty in this step is to infer the predicate Q.

In software model checking we are concerned with the problem of automatically inferringthese auxiliary proof constructs. Here we would like to argue that this inference problem canbe handled in a generic way. That is, we are interested in methods that are to some extentindependent of the proof system, and require only that the proof sub-goals can be expressed ina suitable logical form.

In program proving, the translation of proof sub-goals into logic is commonly referred to asverification condition (VC) generation. For example, suppose in the above example that ourprogram has one variable x. The VC’s can be written in this form:

∀x, x′. (P (x) ∧ [s1](x, x′) ⇒ Q(x′))

∀x, x′. (Q(x) ∧ [s2](x, x′) ⇒ R(x′))

where [si] is some relation representing the operational semantics of program statement si. Ifthese two formulas are shown to be valid, then our proof sub-goals are discharged, and we knowthat P s1; s2 R holds. Notice though, that these VC’s contain one unknown relation Qthat must be inferred. In a typical VC checking application, the user would provide the relationQ in logical form, and the task of the verification tool is to check that the two individual proofsub-goals are valid. On the other hand, the inference problem is to simultaneously solve theVC’s for a value of Q that makes both true. Both of these problems are satisfiability problems.In the former case, we separately check satisfiability of the negation of each condition, with afixed value for Q, while in the latter, we check satisfiability of both constraints together, withan uninterpreted symbol standing in for Q.

We will observe that the VC’s for a wide variety of proof systems have a particular form.That is, they are of the form ∀X. (B ⇒ H), where X is some set of first-order variables, H is

1https://sites.google.com/site/torino2011ic0901/programme/talks

4

https://sites.google.com/site/torino2011ic0901/programme/talks


an application of some (possibly unknown) relation, and B is a formula in which the unknownrelations occur only positively (that is, under an even number of negations) and not underquantifiers. For example, the two VC’s above are of this form. We will refer to such formulasas generalized Horn formulas. We will say that H is the head of the generalized Horn formula,B is the body, and the arity of a generalized Horn formula is the number of occurrences of anunknown relation in the body.

Quite a variety of proof systems produce VC’s as generalized Horn formulas. For example,within procedures, Hoare logic produces sub-goals of the form P s Q, which as we haveseen yield generalized Horn formulas of arity one as VC’s.

Now let’s consider procedure calls, in the way they are handled by the verification conditiongenerator for the Boogie programming language [4]. A parameter-less procedure π in Boogiehas the following form:

procedure π:requires P (X);ensures Q(Xold , X);σ

Here, formula P is a required precondition to enter the procedure, formula Q is the guaranteedpost-condition and statement σ is the body of the procedure. The precondition is over theprogram variables X, while the post-condition refers to the program variables X and theirentry procedure entry values Xold .

To generate verification conditions, Boogie replaces each call to π with the following code:

assert P (X);Xold := X;havoc X;assume Q(Xold , X);

The havoc statement causes the variables X to take a non-deterministic value. Thus, thetransformed call to π behaves as any code satisfying the specification of π. Now suppose the πis called in the following context:

assert R(X);call π;assert S(X);

After replacing the call to π, the verification conditions we obtain from the weakest preconditioncalculus are:

∀X. R(X) ⇒ P (X)

∀Xold , X. (R(Xold) ∧Q(Xold , X) ⇒ S(X))

Note that these formulas are also in generalized Horn formula form and that the second VChas arity two. That is, there are two unknown relations in the body of the second VC.

A very simple modular proof system for concurrent programs is given in [7]. We are givena collection of N parallel process of the form:

process πi:while * do

ρi

5


Each process πi has a set of local variables Xi. The processes share a set Y of global variables.We wish to prove in a modular way that, given some initial condition φinit(X1, . . . , XN , Y ),some error condition φerror (X1, . . . , XN , Y ) is never true. The relations to be inferred foreach process i are Ri(Xi, Y ), which is the invariant of the loop, and Ei(Y, Y

′), which is theenvironment constraint. The verification conditions for process πi are:

∀X1, . . . , XN , Y. φinit(X1, . . . , XN , Y ) ⇒ Ri(Xi, Y )

∀Xi, Y,X′i, Y

′. Ri(Xi, Y ) ∧ [ρi](Xi, Y,X′i, Y

′) ⇒ Ri(X′i, Y

′)

∀Xi, Y, Y′. Ri(Xi, Y ) ∧ Ei(Y, Y

′) ⇒ Ri(Xi, Y′)

∀Xi, Y,X′i, Y

′. Ri(Xi, Y ) ∧ [ρi](Xi, Y,X′i, Y

′) ⇒ Ej(Y, Y′) for j ∈ 1, . . . , N \ i

These conditions state respectively that the initial condition implies the loop invariant, the loopbody preserves the loop invariant, environment transitions preserve the loop invariant, and theloop body (executed atomically) is an allowed environment transition for other processes. Theglobal correctness condition is:

∀X1, . . . , XN , Y. R1(X1, Y ) ∧ · · · ∧RN (XN , Y ) ∧ φerror (X1, . . . , XN , Y ) ⇒ False

Note again that all these proof sub-goals are generalized Horn formulas.Another example is type checking of dependently typed functional programs. Consider the

Liquid Types system [12]. In this system, a refinement type has the form ν : β | P (ν,X),where β is a base type and P is a relation over the value ν and program variables X. Forexample, ν : int | ν > x is the type of integers greater than variable x. A type bindingy : ν : β | P (ν,X) is translated to the logical constraint [[P (y,X)]], where [[·]] is a conservativeembedding of program terms into the logic. The typing rules of Liquid Types produce typechecking sub-goals of the form Γ ` ν : β | P1(ν,X) ≺ ν : β | P2(ν,X) where ≺ is the sub-type relation and Γ is an environment consisting of type bindings and constraints on variablesderiving from program guards. Logical verification conditions in the form of generalized Hornformulas are produced by the following rule:

[[Γ]] ∧ [[P1(ν,X)]]⇒ [[P2(ν,X)]]Γ ` ν : β | P1(ν,X) ≺ ν : β | P2(ν,X)

Existence of a relational interpretation satisfying these conditions is a sufficient condition fortype safety of the program (though not a necessary condition, since the typing rules are con-servative).

3 SMT as a Logical Layer

In the previous section we described how program verification tools produce verification con-ditions that can be viewed as a conjunction of Horn clauses. Program correctness reduces tofinding a solution to the recursive predicates defined by the Horn clauses. We will here elaborateon what this problem means in terms of logical formulas.

3.1 From Recursive Predicates to SMT

In its basic form, the problem posed by solving verification conditions is to determine whetherthere are solutions to recursive predicates, such that a conjunction of universally quantified Hornformulas is true. In other words, the query is whether a conjunction of formulas is satisfiable.

6


This characterization side-steps the semantics of auxiliary functions, background theories andassertions, other than theories that are indigenous to SMT such as arithmetic. We claim thatthe appropriate semantics is to determine that for every interpretation of a given backgroundtheory there is a solution to the recursive predicates. Using logical notation, we check the truthvalues of formulas of the form:

∀~R, ~f . Background [~R, ~f ] ⇒ ∃~P .∧∀ ~X .

(P1(X1) ∧ . . . ∧ PN (XN ) ∧ φ[~R, ~f, ~X] ⇒ P (X)

)(1)

This format is not directly supported by SMT-LIB. It includes universal quantification overrelations and functions. The quantifier alternation is also inconvenient if we wish to refer torecursive predicates as free variables (recall that ∃P.ϕ[P ] is satisfiable if and only if ϕ[P ] issatisfiable, so it is typically more convenient to define P as an uninterpreted predicate). Wecan change the alternation of quantifiers by exchanging the two outer alternations:

∃~P . ∀~R, ~f . Background [~R, ~f ] ⇒∧∀ ~X .

(P1(X1, ~R, ~f) ∧ . . . ∧ PN (XN , ~R, ~f) ∧ φ[~R, ~f, ~X] ⇒ P (X, ~R, ~f)

)(2)

The universal quantification over relations and functions is still present. Furthermore, P hasadditional arguments. Can we use SMT-LIB for higher-order problems? The theory of exten-sional arrays in SMT-LIB includes the function select. It corresponds to function application.This suggests the following approach: treat functions and relations as arrays, then use SMTsolvers to check satisfiability of the resulting formula with arrays. The catch is that the modeltheory for this first-order reformulation does not correspond to the original second-order for-mulation. In the following, we will avoid these transformations and side-step having to dealwith what are potentially adequate (higher-order or Henkin) theories for arrays. Instead wewill augment SMT-LIB slightly.

3.2 From SMT to Solutions of Recursive Predicates

Many applications of SMT solvers are only interested in checking validity of formulas. So, givena formula ϕ, they assert ¬ϕ and check if the SMT solver produces the answer unsat. Similar,in program verification, we are interested in checking a property. The most basic answer wewould expect from a verification tool for programs is whether the property ϕ can be established.Dually, we can ask whether the property ¬ϕ is unreachable.

More informative answers are possible. One may want a certificate for unreachability or acertificate for reachability. A certificate for reachability is in a nutshell a proof of unsatisfiability.The proof can be presented as a trace. A certificate for unreachability is in a nutshell a modelfor the recursive predicates. So what is a model? Saturation based theorem provers may be ableto produce a set of saturated clauses that do not include the empty clause and such that anyclause that can be deduced from the saturated set is subsumed. Checking that a set of first-orderclauses is saturated is relatively straight-forward. Unfortunately, we are not aware of reasonablenotions of saturation modulo theories. A different way to represent models is to produce aformula for each recursive predicate. The free variables in the produced formulas correspondto the arguments of the recursive predicate. So in a sense the formulas correspond to macroexpansions of the recursive predicates. Checking such a solution requires theorem proving: Plugin the macro expansion for each of recursive predicates and check that the resulting formulais valid. The proof obligations are ground when the background is empty. Existing tools forgenerating interpolants and lifting PDR to theories 2 do produce such certificates that can be

2In the case of PDR, we give a few small examples of such certificates on http://rise4fun.com/Z3Py/

tutorial/fixedpoints

7

http://rise4fun.com/Z3Py/tutorial/fixedpoints

http://rise4fun.com/Z3Py/tutorial/fixedpoints


checked by SMT solvers for ground formulas. We speculate that finer-graned certificates are ofpotential useful: macros together with proof hints that are used for checking that the macrosare indeed solutions.

3.3 Bloat in Translation?

What is the cost of resorting to a logical encoding of programs and their control-flow graphs?We alluded to that a control flow graph (CFG) corresponds directly to a set of Horn clauses.Each node in the CFG is a predicate. Horn clauses encode Hoare triples between locations. Inour experience, the main source of bloat is how variable scoping is handled: all local variablesin scope have to be either directly arguments of the recursive predicates, or indirectly by usingrecords or arrays that summarize variables. Current tools for solving predicates work withvariables enumerated directly. Using records would require additions to SMT-LIB from itscurrent form. In particular, it would be useful to have a way to update a record. One couldalso consider using arrays instead of records, but general purpose decision procedures for thetheory of extensional arrays are not really well tuned for this special purpose usage.

3.4 Loss in Translation?

A dual concern is whether this layer opens up for loss in translation. We argue not, as rules canbe in one-to-one correspondence with CFG/abstract syntax tree representations of programs.

3.5 Dealing with Heap

There are many possible ways to model and reason about heaps. Front-end tools may choosea model of their choice and encode the model in background axioms. Back-end solvers arealso left open to detect heap operations and provide different abstractions, such as separationlogics. Hence, it is also an area where solvers can compete on applying different abstractions.In summary, the approach (with encoding CFGs to SMT constraints) does not by itself requirefixing one particular model of heaps.

4 Recursive predicates in Z3

ARMC [11] and HSF [6] encode recursive predicates as Horn formulas in Prolog syntax. Ina similar style, µZ [10, 9] uses an extension of the SMT-LIB format for representing recursivepredicates. Recursive predicates are treated differently from non-recursive predicates. Recursivepredicates are defined in rules and checked in queries. Non-recursive predicates and functionsmay be used in rules and queries; they can be further constrained by background assertions.

4.1 Recursive predicates

Z3 has four syntactic constructs for handling recursive predicates. We summarize these below.

(rule rule ) declares a rule, where rule is an SMT-LIB expression expected to be of theform:

rule ::= (forall (bound ) rule ) | (=> body rule ) | (R args )

8


The relation R in the head is expected to be declared as a recursive relation. The supportedformat for body is as a quantifier-free formula such that the recursive predicates (such asR ) occur positively.

While the internal engine in µZ uses Horn clauses, rules are not required to be Hornclauses. Nested disjunctions in bodies are eliminated using a Tseitsin style transformationthat produces a set of Horn clauses.

(query query ) where query ::= (exists (bound ) query ) | body.

(declare-rel R (S 1 . . . S n)) declares a recursive relation R. It takes n arguments of sortS 1 . . . Sn respectively.

(declare-var v S ) Rules and queries may reference variables declared using declare-var.When used in rules, the variables are universally quantified, when used in queries, thevariables are existentially quantified. The declare-var construct is purely syntacticsugar. It makes writing rules more convenient because it saves the overhead of bindingthe same variables in different rules.

A query is satisfiable if there are instances of the existential variables and a derivationof recursive rules that derives the query. Otherwise a query is unsatisfiable. This definitioncorresponds to checking queries with Prolog and Datalog. It is dual to how the semanticscorresponds to SMT: when there is no instantiation of variables that satisfy a query it meansthat there is an interpretation of the recursive predicates that satisfy each rule, but satisfiesthe negation of the query. On the other hand, if a query has a solution, then the trace thatcorresponds to deriving the query is a proof: The trace provides quantifier instantiations of theHorn clauses and ∀~x . ¬query such that the resulting set of ground Horn clauses is unsatisfiable.

Equation (3) summarizes this characterization. The formula in (3) is closed and the goal isto check if it is equivalent to true. The set rules contains the recursive Horn clauses definedby rule and query is a formula corresponding to a query, ~x are declared as variables and ~Pare declared as recursive predicates:

∃~P .

( ∧r∈rules

∀~x . r(~x)

)∧ ∀~x . ¬query (3)

Example 1. Suppose we are given a recursive program sum

let rec sum n = if n <= 0 then 0 else n + sum (n-1)

and we wish to establish that sum n >= n for every n. The input-output specification of sum isa relation with one argument for the input and one argument for the output. We can specifysum using a set of Horn rules and the assertion as a query:

(declare-rel sum (Int Int))

(declare-var n Int)

(declare-var m Int)

(rule (=> (<= n 0) (sum n 0)))

(rule (=> (and (> n 0) (sum (- n 1) m)) (sum n (+ m n))))

(query (and (sum n m) (< m n)))

9


An interpretation for sum that satisfies the Horn clauses and the query is:

(define-fun sum ((A Int) (B Int)) Bool (and (>= B 0) (<= (+ (* (- 1) B) A) 0)))

4.2 Background

While currently unsupported in µZ, the format admits free functions and non-recursive predi-cates. It inter-operates with assertions over non-recursive predicates and functions.

Example 2. One can assert that a free function f is injective with partial converse g using anaxiom:

(declare-fun f (Int) Int)

(declare-fun g (Int) Int)

(assert (forall ((x Int)) (= (g (f x)) x)))

Then f can be used in rules. For example,

(declare-rel R (Int Int))

(declare-var x Int)

(declare-var y Int)

(rule (R 0 1))

(rule (=> (R x y) (R (f x) (f y))))

(query (and (R x y) (= x y)))

The query is unsatisfiable with the justification

(define-fun R ((A Int) (B Int)) Bool (not (= A B)))

Free functions and non-recursive predicates are treated logically different from recursivepredicates. Their meaning is succinctly captured by extending (3) by taking background as-

sertions and auxiliary predicates and functions into account. Let ~R, ~f be the non-recursivepredicates and functions, and asrts be the current assertions. Correspondence (4), derivedfrom (1), characterizes the semantics in the context of auxiliary predicates, functions and as-sertions:

∀~R, ~f . asrts ⇒ ∃~P .

( ∧r∈rules

∀~x . r(~x)

)∧ ∀~x . ¬query (4)

5 Summary

We made a case that SMT-LIB is a superb basis for exchanging benchmarks among symbolicsoftware model checkers. As a side-effect we also introduced an approach to specify recursiverelations modulo background assertions in the context of SMT-LIB. The format can be used inits own right. The proposed use of SMT-LIB uses a modest extension for describing rules anddeclaring recursive predicates.

10


References

[1] Akash Lal and Shaz Qadeer and Shuvendu Lahiri. Corral: A Solver for Reachability ModuloTheories. In CAV, July 2012.

[2] Aws Albarghouthi, Arie Gurfinkel, and Marsha Chechik. From under-approximations to over-approximations and back. In TACAS, pages 157–172, 2012.

[3] Aws Albarghouthi, Arie Gurfinkel, and Marsha Chechik. Whale: An interpolation-based algorithmfor inter-procedural verification. In Viktor Kuncak and Andrey Rybalchenko, editors, VMCAI,volume 7148 of Lecture Notes in Computer Science, pages 39–55. Springer, 2012.

[4] Michael Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino.Boogie: A Modular Reusable Verifier for Object-Oriented Programs. In FMCO, pages 364–387,2005.

[5] Clark Barrett, Aaron Stump, and Cesare Tinelli. The Satisfiability Modulo Theories Library(SMT-LIB). www.SMT-LIB.org, 2010.

[6] Sergey Grebenshchikov, Nuno P. Lopes, Corneliu Popeea, and Andrey Rybalchenko. Synthesizingsoftware verifiers from proof rules. In PLDI, 2012.

[7] Ashutosh Gupta, Corneliu Popeea, and Andrey Rybalchenko. Predicate abstraction and refinementfor verifying multi-threaded programs. In POPL, pages 331–344, 2011.

[8] William R. Harris, Sriram Sankaranarayanan, Franjo Ivancic, and Aarti Gupta. Program analysisvia satisfiability modulo path programs. In POPL, pages 71–82, 2010.

[9] Krystof Hoder and Nikolaj Bjørner. Generalized Property Directed Reachability. In SAT, 2012.

[10] Krystof Hoder, Nikolaj Bjørner, and Leonardo Mendonca de Moura. µZ- an efficient engine forfixed points with constraints. In CAV, pages 457–462, 2011.

[11] Andreas Podelski and Andrey Rybalchenko. ARMC: The Logical Choice for Software ModelChecking with Abstraction Refinement. In PADL, pages 245–259, 2007.

[12] Patrick Maxim Rondon, Ming Kawaguchi, and Ranjit Jhala. Liquid types. In PLDI, pages 159–169, 2008.

[13] Geoff Sutcliffe, Stephan Schulz, Koen Claessen, and Peter Baumgartner. The TPTP Typed First-Order Form with Arithmetic. In LPAR, pages 406–419, 2012.

[14] Philippe Suter, Ali Sinan Koksal, and Viktor Kuncak. Satisfiability modulo recursive programs.In SAS, pages 298–315, 2011.

11

Built-in Treatment of an Axiomatic

Floating-Point Theory for SMT Solvers∗

Sylvain ConchonLRI, Universite Paris Sud

Guillaume MelquiondINRIA Saclay–Ile-de-France

Cody RouxLRI, Universite Paris Sud

Mohamed IguernelalaLRI, Universite Paris Sud

Abstract

The treatment of the axiomatic theory of floating-point numbers is out of reach ofcurrent SMT solvers, especially when it comes to automatic reasoning on approximationerrors. In this paper, we describe a dedicated procedure for such a theory, which providesan interface akin to the instantiation mechanism of an SMT solver. This procedure is basedon the approach of the Gappa tool: it performs saturation of consequences of the axioms,in order to refine bounds on expressions. In addition to the original approach, bounds arefurther refined by a constraint solver for linear arithmetic. Combined with the naturalsupport for equalities provided by SMT solvers, our approach improves the treatment ofgoals coming from deductive verification of numerical programs. We have implemented itin the Alt-Ergo SMT solver.

1 Introduction

On modern computers, floating-point arithmetic is by far the most common way of approx-imating real arithmetic and hence performing numerical computations. This comes from itsinherent mathematical simplicity (very large range and guaranteed precision) combined witha strong will to ensure portability of this arithmetic across all architectures without forsakingperformance [11]. These properties usually make this arithmetic an obvious choice for buildingnumerical software. In many cases, for instance in avionics, critical systems make heavy use offloating-point computations.

But despite their simplicity, floating-point computations do not in general return the sameresult as ideal real computations. Indeed, while precision is guaranteed, accuracy is not: thenegligible rounding errors caused by every operation might add up and cause the computedvalues to arbitrarily diverge from the expected values. In particular, floating-point arithmetichas some counter-intuitive properties when it comes to accuracy: the sum of two numbers thatcauses the biggest inaccuracy is the one that is the most precise (exact result). For example,take a and b to be the floating-point representations of 1.1 and 1, respectively. Then thefloating-point number that is the result of a− b can be computed with perfect accuracy: thereis no loss of digits. However it is not the floating-point number that is closest to the “desired”result 0.1. This discrepancy between computed and expected results has been the source ofnumerous software and hardware failures [13].

The Gappa tool replicates the kind of reasoning one would use to prove correctness of state-of-the-art floating-point hardware and software. It automatizes the proofs in a highly efficientway, as long as the verification conditions only deal with arithmetic constructs [6]. Unfortu-nately, some program constructs tend to leak into the verification conditions and obfuscate thearithmetic constructs Gappa relies on. For instance, programs might be using arrays, have lots

∗Work supported by the French ANR projects ANR-08-005 DeCert and ANR-11-INSE-03 Verasco.


An Axiomatic Floating-Point Theory for SMT Solvers S. Conchon, G. Melquiond, C. Roux, M. Iguernelala

of different execution paths; as a side-effect of their generation process, verification conditionsmight be littered with useless lemmas and equalities. All of these issues are the cause for extrawork from the user and hence partly defeat the point of automatizing the process.

On the other hand, SMT solvers, which are ubiquitous in deductive program verification,are especially designed to handle these issues. They have built-in theories of arrays and con-gruences and specialized algorithms for instantiating lemmas, they depend on SAT solvers forpropositional logic, and so on. Floating-point numbers are not presently handled by most SMTsolvers, although there is a proposal to add them to the SMT-LIB 2 standard [14]. This wouldallow a complete description of the bit-level representation of IEEE-754 floating-point numbersand operations, including exceptional values. However error analysis is out of the scope of sucha description, as there is no way to embed floating-point values into real numbers.

In this paper, we present a way to implement the proof mechanism of Gappa inside anSMT solver to allow reasoning on approximation errors in a theory of reals with floating-pointoperators. Section 2 describes the proof mechanism of the Gappa tool. Section 3 explains thelimits of a purely axiomatic approach to integrating floating-point reasoning in an SMT solver.Section 4 presents a description of the integration of the procedure as a built-in instantiationbased algorithm. Section 5 gives an example that uses the most salient features of the algorithm.

2 The Gappa Tool

Gappa is a tool dedicated to proving the logical formulas that usually occur when verifying thenumerical correctness of a program [5]. These formulas are described by the following simplegrammar:

prop ::= ¬prop | prop ∧ prop | prop ∨ prop | prop ⇒ prop | atom

atom ::= expr ≤ number | expr ≥ number | expr = expr

expr ::= ident | number | − expr | abs(expr) | sqrt(expr)

| expr expr | rnd...(expr)

with ∈ +,−,×, /. The semantics of these formulas is, for the most part, straightforward:identifiers are mapped to universally-quantified variables of real type, arithmetic operators andrelations are mapped to the corresponding symbols of real arithmetic, and logical connectivesare given their usual propositional meaning.

2.1 Rounding operators

Rounding functions are sufficient to express computations that occur inside a numerical pro-gram, thanks to the philosophy that underlies most computer arithmetic. For instance, considerthe IEEE-754 standard for floating-point arithmetic [11] that describes the behavior of mostfloating-point units you will find in modern processors. It states: “a floating-point operatorshall behave as if it was first computing the infinitely-precise value and then rounding it sothat it fits in the destination floating-point format”, assuming the inputs are not exceptionalvalues. As a consequence, a floating-point addition between two floating-point numbers u andv should behave as if it was rnd...(u + v) for some properly parametrized rounding operator.

For instance, if the destination format is binary32 from IEEE-754 and if the roundingdirection is the default one, then rnd(x) satisfies the following properties: it is a real number ysuch that there are two integers m and e with y = m ·2e, |m| < 224 and e ≥ −149. Moreover, it

13


is the number that minimizes the distance |y − x|. Finally, if there are several such numbers,1

then y is chosen so that it can be represented with a mantissa m that is an even integer whilestill preserving e ≥ −149. Note that there is no upper bound on e as overflow is generallyhandled by a separate analysis. Floating-point arithmetic is standardized in such a way that itis always the case that there exists one and only one such number.

2.2 Proof Mechanism

When given a logical formula to prove, Gappa starts by performing some manipulations untilit reaches an equivalent problem consisting of a disjunction of formulas of the following form:

t1 ∈ I1 ∧ . . . ∧ tn ∈ In ⇒ ⊥.

Terms t1, . . . , tn are Gappa expressions, while I1, . . . , In are intervals with numerical bounds.Actually, Gappa handles more predicates than just membership in an interval [6], but for thesake of simplicity, they will not be mentioned here.2

Gappa has a database of over 200 theorems which can be split into three categories. Thefirst deals with real arithmetic, e.g. knowledge about square roots. The second category handlesrounding operators and computer formats. The third category is composed of rewriting rulesthat simulate reasoning similar to that of forward error analysis.

Gappa applies these theorems on the hypotheses of the logical formula by a saturationmechanism, in order to deduce new facts. It keeps going until a contradiction is deduced or nonew facts are found. Note that the tool is not guaranteed to terminate, and even if it does, anabsence of contradictions does not mean that the property is true.

Theorems about real arithmetic and rounding operators have the following form:

∀~x, ∀I1, . . . , In, I, f1(~x) ∈ I1 ∧ . . . ∧ fn(~x) ∈ In ∧ P (I1, . . . , In, I)⇒ f(~x) ∈ I.

Expressions f1, . . . , fn, f are specific to a given theorem, and so is the relation P betweenintervals. Moreover, Gappa knows some partial function h such that P (I1, . . . , In, h(I1, . . . , In)).From the point of view of Gappa, even rewriting rules fit this model: n = 1, P is ⊆, and h isthe identity.

2.3 Theorem Instantiation

Gappa first performs symbolic backward reasoning for all the terms t1, . . . , tn that appear onthe left-hand side of the original formula. The heuristic is that, if a contradiction is to befound, then it will be with one of the original bounds. It therefore searches which theoremshave a conclusion that could be used to compute a bound for one of the original terms. Thehypotheses of these theorems are enclosures too, so Gappa searches recursively on their termstoo. The search proceeds in a manner similar to Prolog, as the theorems have the form ofHorn clauses. The procedure stops when it finds that it needs to bound one of the terms of theoriginal formula. In practice, this backward search terminates since theorems have been chosenso that the terms on the left-hand side are somehow smaller than the term on the right-handside. This solves the issue of the set of terms being unbounded, but not the issue of findinginstances for every ~x, except that this time, the uninstantiated variables are on the left. Gapparelies on various heuristics to fill the holes.

1In other words, x is the midpoint between two consecutive floating-point numbers.2The list of predicates and theorems that Gappa relies on are listed in its documentation: http://gappa.

gforge.inria.fr/doc/index.html.

14

http://gappa.gforge.inria.fr/doc/index.html

http://gappa.gforge.inria.fr/doc/index.html


Once Gappa has performed this step of backward reasoning, it knows which terms andtheorems are potentially useful. It can therefore perform the actual saturation, which is nowjust reduced to numerical computations on the bounds of the intervals.

3 Handling Gappa Axioms with SMT Solvers

SMT solvers are highly efficient tools for checking satisfiability of ground formulas from thecombination of specific theories such as uninterpreted equality, linear arithmetic over rationalsor integers, arrays and bit-vectors. SMT solvers may also handle quantified formulas[7, 2, 8, 4].For that, they use heuristics to find good instances of universally-quantified lemmas present inthe problem. These heuristics are usually guided by a set of instantiation patterns (also knownas triggers) and a set of known terms, that is (ground) terms that appear in the facts assumedby the solver.

Knowing how SMT solvers handle quantified formulas, a tempting approach would be todescribe the Gappa floating-point theory by a set of first-order formulas annotated with relevanttriggers. For instance, axioms like

∀x, y, z. y 6= z ⇒ x× (y − z) = x× y − x× z

can be given to an SMT solver with x×(y−z) as a trigger (if it allows defined functions to appearin triggers). Other axioms can also just be ignored because they are directly implemented bythe decision procedures of SMT solvers. For instance, axioms like

∀x, y. x− y = (x− rnd(y)) + (rnd(y)− y)

are directly handled by the decision procedure for linear arithmetic. This category contains allthe axioms for the free theory of equality, the linear theory of arithmetic, etc.

Unfortunately, this solution does not apply to all Gappa axioms. For example, in thefollowing quantified formula

∀i, p, e, x. |x| ≤ i⇒ |float(p, e, NearE, x)− x| ≤ 2max(e,(ceil(log2(i))−p))

a relevant trigger would be the term float(p, e, NearE, x). However, since it does not containthe bound variable i, the solver has to consider all reals as potential bounds for x, or it canrestrict substitutions to syntactic bounds, i.e. bounds that occur in a syntactic ground predicateof the form |t| ≤ c. The first solution is impracticable. The main problem with the secondsolution is that relevant bounds do not usually occur in terms, but come from some deduction.Moreover, an effective implementation of the floating-point theory of Gappa also requires fromSMT solvers the ability to compute bounds like 2max(b,(ceil(log2(i))−a)).

4 Gappa as a Matching Algorithm

The floating-point module we describe here is based on an interval analysis and a saturationapproach nearly identical to that which is implemented in Gappa [5]. We interact with theSMT solver using the following interface. We take as input

• the set of terms considered by the solver that have as head symbol a symbol of arithmetic,such as x + y or float(t[i]),

15


• the set of literals that involve arithmetic, such as t ≤ u, or t = u with t or u in thearithmetic theory,

• the module for matching modulo the equalities deduced by the solver.

The procedure returns in turn

• the deduced bounds on the considered terms,

• a set of equalities that are a consequence of these bounds,

• a set of contradictory literals, if a contradiction is deduced from its input.

We proceed as outlined in Section 2 and try to instantiate axioms of the database of axiomsfrom the floating-point theory that are deemed relevant for finding interesting bounds on theconsidered terms. Note that the effectiveness of this approach is based in great part on therelevance of the axioms involved, which are based on the fine-tuned library of theorems foundin Gappa. The lemmas generated by instantiation of the theorems are then applied to knownbounds of terms until saturation, i.e. until there are no improvements on the bounds.

The interface is generic: it can be integrated into a framework with an existing procedurefor arithmetic. This may in fact be quite useful, as the procedure is far from complete forarithmetic expressions involving non-linear constructions.

The floating-point module maintains internal information that is not directly expressiblein most SMT solvers, such as the number of bits with which it is possible to represent a realnumber in a certain floating-point encoding. The set of lemmas will therefore be internal to themodule, and computational instances are created when needed, by matching modulo equalityon the considered terms. The procedure then checks which lemmas may actually be appliedgiven the bound information on the terms, and applies these lemmas until no new consequencescan be created.

A simplex-based algorithm [3] then finds the optimal bounds by linear combination of these.Improved bounds may then lead to another round of saturation by application of the instantiatedaxioms. In the case where no contradictions (empty bounds) are found, then equalities thatwere deduced by the simplex algorithm are sent on to the main loop of the SMT solver.

4.1 Description of the algorithm

The internal state of the module consists of the following data:

• the set of all instantiated theorems, which we call lemmas, with the set of terms on whichthey depend, as well as the terms in the conclusion,

• the set of all considered terms, along with the set of lemmas that allow a bound to bededuced for each term and the lemmas that depend on them,

• the bounds that have already been deduced by the theory.

The SAT solver sends literals to a theory solver that deduces initial bounds on the termsby linear combinations, and terms to the lemma generation which instantiates the axiomspotentially necessary to infer bounds on terms and sub-terms that appear in the literals. Thegraph generated is in the form of that shown in Figure 2, where terms are linked with thelemmas that depend on them and lemmas are connected to the terms whose bounds they may

16


SAT

Linear Bounds Gen Lemmas

Match

Refine Bounds

Simplex

matchliterals terms

lemmasbounds

constraints

equalities,unsat

Figure 1: Description of the floating-pointprocedure.

x y z

flt

float(x)

flt

float(y)

+

x + y

+

float(x) + float(y)

×

float(x)× z

. . .

Figure 2: An example lemma dependencygraph (with some cycle).

improve. The theorems are instantiated using the matching mechanism already present in theSMT solver. The description of the process is outlined in Figure 1.

Once we have computed the graph of lemmas that are potentially useful, we enter into thecomputational phase: we use the linear solver to infer initial bounds on some subset of theconsidered terms, and the lemmas are applied in succession, each new refined bound triggersthe application of the lemmas that depend on it.

Once a fixed point is reached (no bounds are improved), we use the deduced bounds to buildconstraints which are sent to a simplex algorithm, which refines the bounds of every term. Tolimit the calls to the simplex algorithm, we only refine the bounds of terms on which somecomputational lemma applies, and on terms that are known to not be constants.

The alternation of calls between the simplex algorithm and the application of the lemmascontinues until

• either a contradiction is found, in which case the incriminating literals are identified andsent to the SAT module, which then chooses the next literals to send to the theory,

• or no new bounds are computed yet no contradiction is found, and the equalities that canbe deduced from the bounds are returned to the SAT solver.

The simplex algorithm is incremental. This increases the performance of the procedure insubsequent calls by a factor of 5 to 10. However backtracking is not possible in the currentversion of the algorithm, which forces the whole process to be restarted at each call to theglobal decision procedure.

At the end of the saturation process, an equality is deduced by examining the bounds whichare trivial, i.e. t ∈ [i, i] in which case we deduce t = i. The use of the simplex algorithmensures that all such equalities that are linear consequences of the deduced constraints will befound. Since the module considers terms that may not be terms (or sub-terms) that appear inthe original problem, it may choose not to propagate such equalities to the other theories.

17


Correctness of the algorithm depends on the correctness of each process. The crucial pointsare the validity of the theorems that are instantiated, the correctness of the simplex algorithm,and the fact that the literals identified in the unsatisfiability witnesses are a super-set of someminimal set of literals that lead to a contradiction.

We take pains to apply only lemmas that are true of both the ring of real numbers and thatof integers, with the computed bounds being represented by rational numbers. Of course there isno floating-point operator on integers, but certain operators are overloaded, like the arithmeticoperators and absolute values. This means that the floating-point “box” is generic: the boundsdeduced by it are valid in the case where terms denote integers, and can be subsequently refinedby integer-specific methods; typically by performing case analysis on the bounds.

Our system is not complete, as we are in a very expressive fragment of arithmetic, thatincludes integer arithmetic. Additionally, even the restriction of our theory to real arithmeticwith a floating-point operator is likely to be either undecidable, or with a decision procedureof prohibitive complexity. We have tried to find the optimal trade-off between speed andexpressiveness, with emphasis on proving error bounds.

Termination is also not guaranteed, as it is easy to build a set of terms that satisfy thefollowing relations:

x ∈ [−1, 1]

x = f(x)

∀y, f(y) ≤ k · y, k ∈]0, 1[

In which case each pass of the algorithm will scale the bounds for x by a factor k, withoutever converging to the fixed point x ∈ [0, 0].

We adopt the simple solution of stopping the iteration after a fixed number of cycles.

5 Case Study

We give an example application of our development by automatically deriving an error bound ona simple algorithm that computes the sum of the 10 elements of an array with values initializedto the floating-point approximation of 0.1. We give this code in Figure 3 using the Why3specification and programming language [9], which allows us to write imperative code withHoare-logic style annotations.

The Why3 framework generates a number of proof obligations in the Alt-Ergo format, splitinto safety properties and properties given by the assertions.

The rnd function performs the binary32 nearest-ties-to-even rounding of a real number, ifthis operation does not result in an overflow. The add function performs the addition as it isdefined on floating-point numbers i.e. as the rounding of the infinite-precision addition on thefloats seen as real numbers. Again, this function takes as precondition that the addition doesnot result in an overflow.

The invariant specifies that the partial sums at step i+ 1 are at distance no more than i1000

from i10 , which allows us to easily conclude that the sum is at distance less than 1/100 from 1

at the end of the loop.

Our extension is able to prove the 10 generated properties, three of which are not proven byAlt-Ergo or Gappa as the former does not have knowledge of bounds on floating-point errors,and Gappa cannot perform reasoning on equality or general linear arithmetic. This stressesthe necessity of combining the two solvers. The hardest goal generated by Why3 is given in

18


module Sum

let rnd x = no_overflow NearestTiesToEven x

round NearestTiesToEven x

result = round NearestTiesToEven x

let add x y =

no_overflow NearestTiesToEven (x +. y)

round NearestTiesToEven (x +. y)

result = round NearestTiesToEven (x +. y)

let sum () =

let a = make 10 (rnd 0.1) in

let s = ref (rnd 0.) in

for i = 0 to 9 do

invariant

abs(!s -. 0.1 *. from_int i) <=. 0.001 *. from_int i

s := add !s a[i]

done;

!s

abs (result -. 1.) <=. 0.01

end

Figure 3: A simple imperative program using floats.

goal WP_parameter_sum :

abs(float(53,1074,ne,0.1)) <= 0x1.FFFFFFFFFFFFFp1023 -> 0 <= 10 ->

abs(float(53,1074,ne,0.)) <= 0x1.FFFFFFFFFFFFFp1023 -> 0 <= 9 ->

forall s:real. forall i:int. (0 <= i and i <= 9) -> i <= 10 and

abs(s - (0.1 * real_of_int(i))) <= 0.001 * real_of_int(i)) ->

(0 <= i and i < 10) and

abs(float(53,1074,ne,s + const(float(53,1074,ne,0.1))[i]))

<= 0x1.FFFFFFFFFFFFFp1023 and

forall s1:real.

s1 = float(53,1074,ne,s + const(float(53,1074,ne,0.1))[i]) ->

i + 1 <= 10 and

abs(s1 - (0.1 * real_of_int(i + 1))) <= 0.001 * real_of_int(i + 1)

Figure 4: Loop invariant preservation.

Figure 4; it specifies that the invariant is preserved by the operations performed in the loop,with additional non-overflow conditions.

The expression float(p,e,m,x) denotes the floating-point approximation to x with round-

19


ing mode m (ne is nearest float with even mantissa in case of tie), a mantissa of at most p bits,and an exponent greater than −e. The expression real of int(x) is simply a cast from thetype of integers to that of real numbers.

Our extension of Alt-Ergo handles this goal in 1.4 seconds (Intel Core 2.66 GHz, 2 GBRAM) by application of the error-bound theorems and the linear arithmetic solver. Firstnote that real of int is a congruence, which allows 1

1000 · real of int(i + 1) to be treated asreal of int(i)

1000 + 11000 . We split on the sign of terms t such that |t| appears in the goal. If t ≥ 0,

we add the equality t = |t| to the set of literals and t = −|t| otherwise. Then the equalitiesconst(t)[i] = i are instantiated for each appropriate term.

Finally linear arithmetic allows us to bound the terms t such that float(p, e, d, t) appears inthe goal: 0.1 is bounded by definition, and s + float(53, 1074, ne, 0.1) can be derived from thebound on i and the inequality s− (0.1× i) ≤ 0.001× i.

The theorem on absolute errors can then be instantiated by the floating-point module togenerate a bound of the form:

float(53, 1074, ne, s + float(53, 1074, ne, 0.1))− (s + float(53, 1074, ne, 0.1)) ∈ [−ε, ε]

A last step of linear arithmetic is required to conclude.A more realistic example entails proving the safety properties of a C program involving

floating-point computations which was originally part of an avionics software system. Safetyproperties are generated by the Frama-C/Why3 tool-chain, and involve properties about integerand floating-point overflow, correctness of memory access, etc. Here also the Alt-Ergo extensionmanages to prove all 36 goals, 10 of which involve floating-point properties (Alt-Ergo proves 2of those goals). However the added expressiveness comes at the cost of speed: on average Alt-Ergo with the floating-point module is 5 times slower than Alt-Ergo alone, on goals involvingreal arithmetic.

Gappa is able to prove the overflow properties, but at the cost of manually performingtheorem instantiation, which Alt-Ergo handles on its own.

6 Conclusion and perspectives

We have described an implementation of a theory of real numbers with floating-point operatorsby a dedicated matching procedure, which can be plugged into an SMT solver. Given termsand initial constraints, the procedure performs matching modulo ground equalities, saturationand calls to a linear solver to deduce bound information on terms.

This framework is standalone. It can be integrated as-is, notwithstanding slight changesto the usual interface of the matching module: literals assumed by the solver need to be sentinstead of just terms. A tighter integration would re-use the procedure for deciding lineararithmetic already present in the SMT solver, provided that it could be queried for the bestpossible bounds of a term.

We have implemented this procedure in the Alt-Ergo SMT solver, replacing the part of thearithmetic module that deals with inequalities, as it became redundant with our work.

The use of the simplex algorithm, while powerful, is also the source of the greatest perfor-mance penalty: it may be called many thousands of times on large goals.

The theory of floats we describe here does not consider NaN or infinite values, unlike tothe proposed addition to the SMT-LIB. However Ayad and Marche show [1] that it is possibleto encode such floating-point data by a combination of algebraic data-types and cases on onehand, and an unbounded model of floating-point numbers as used in Gappa and in the present

20


work on the other hand. One can then observe that the “exceptional” cases in which NaN or±∞ appear are handled quite easily by the traditional theories in the SMT solver, and ouraddition is designed to solve the other cases.

Future Work

Clearly, our first goal is to improve performance of the procedure on large problems, allowingus to treat a wider range of examples from industrial software verification. Moreover we havenot integrated all the theorems from Gappa, just those which were required for most immediateuse. In particular, we only treat absolute error and not yet relative error.

Similar work has been brought to our attention by the reviewers [12, 10]. In this work,the authors introduce a theory capable of handling general constraints on real numbers withfloating-point constraints, as we are. The constraints are handled by their LRA+ICP algorithm(Linear Real Arithmetic and Interval Constraint Propagation) in a manner related to ours,though they do not have as general floating-point operators, nor do they have rewriting-basedheuristics for transforming the non-linear constraints. They furthermore propose a mechanismbased on successive interval refinements to avoid the cost of successive calls to a linear opti-mization algorithm. Further work is needed to understand whether such an approach is feasiblein our framework.

References

[1] A. Ayad and C. Marche. Multi-prover verification of floating-point programs. In IJCAR 5, volume6173 of LNAI, pages 127–141, Edinburgh, Scotland, July 2010.

[2] C. Barrett and C. Tinelli. CVC3. In CAV, pages 298–302, 2007.

[3] F. Bobot, S. Conchon, E. Contejean, M. Iguernelala, A. Mahboubi, A. Mebsout, and G. Melquiond.A simplex-based extension of Fourier-Motzkin for solving linear integer arithmetic. In IJCAR 6,volume 7364 of LNAI, Manchester, UK, 2012.

[4] S. Conchon and E. Contejean. Alt-Ergo. Available at http://alt-ergo.lri.fr, 2006.

[5] M. Daumas and G. Melquiond. Certification of bounds on expressions involving rounded operators.Transactions on Mathematical Software, 37(1):1–20, 2010.

[6] F. de Dinechin, C. Lauter, and G. Melquiond. Certifying the floating-point implementation of anelementary function using Gappa. Transactions on Computers, 60(2):242–253, 2011.

[7] L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, pages 337–340, 2008.

[8] B. Dutertre and L. de Moura. Yices. Available at http://yices.csl.sri.com/tool-paper.pdf,2006.

[9] J.-C. Filliatre and C. Marche. The Why/Krakatoa/Caduceus platform for deductive programverification. In CAV 19, volume 4590 of LNCS, pages 173–177, Berlin, Germany, 2007.

[10] S. Gao, M. K. Ganai, F. Ivancic, A. Gupta, S. Sankaranarayanan, and E. M. Clarke. IntegratingICP and LRA solvers for deciding nonlinear real arithmetic problems. In FMCAD, pages 81–89,Lugano, Switzerland, 2010.

[11] IEEE Computer Society. IEEE Standard for Floating-Point Arithmetic. 2008.

[12] F. Ivancic, M. K. Ganai, S. Sankaranarayanan, and A. Gupta. Numerical stability analysis offloating-point computations using software model checking. In MEMOCODE, pages 49–58, Greno-ble, France, 2010.

[13] J.-M. Muller, N. Brisebarre, F. de Dinechin, C.-P. Jeannerod, V. Lefevre, G. Melquiond, N. Revol,D. Stehle, and S. Torres. Handbook of Floating-Point Arithmetic. Birkhauser, 2010.

[14] P. Rummer and T. Wahl. An SMT-LIB theory of binary floating-point arithmetic. In SMT 8 atFLoC, Edinburgh, Scotland, 2010.

21

http://alt-ergo.lri.fr

http://yices.csl.sri.com/tool-paper.pdf

Reasoning with TriggersClaire Dross

LRI, Universite Paris-Sud 11,CNRS, Orsay F-91405

INRIA Saclay-Ile de France,ProVal, Orsay F-91893AdaCore, Paris F-75009

Sylvain ConchonLRI, Universite Paris-Sud 11,

CNRS, Orsay F-91405INRIA Saclay-Ile de France,

ProVal, Orsay F-91893

Johannes KanigAdaCore, Paris F-75009

Andrei PaskevichLRI, Universite Paris-Sud 11,

CNRS, Orsay F-91405INRIA Saclay-Ile de France,

ProVal, Orsay F-91893

Abstract

SMT solvers can decide the satisfiability of ground formulas modulo a combination ofbuilt-in theories. Adding a built-in theory to a given SMT solver is a complex and timeconsuming task that requires internal knowledge of the solver. However, many theories(arrays [13], reachability [11]), can be easily expressed using first-order formulas. Unfor-tunately, since universal quantifiers are not handled in a complete way by SMT solvers,these axiomatics cannot be used as decision procedures.

In this paper, we show how to extend a generic SMT solver to accept a custom theorydescription and behave as a decision procedure for that theory, provided that the describedtheory is complete and terminating in a precise sense. The description language consistsof first-order axioms with triggers, an instantiation mechanism that is found in many SMTsolvers. This mechanism, which usually lacks a clear semantics in existing languages andtools, is rigorously defined here; this definition can be used to prove completeness andtermination of the theory. We demonstrate using the theory of arrays, how such proofscan be achieved in our formalism.

1 Introduction

SMT solvers are sound, complete, and efficient tools for deciding the satisfiability of groundformulas modulo combinations of built-in theories such as linear arithmetic, arrays, bit-vectorsetc. Usually, they work on top of a SAT solver which handles propositional formulas. Assumedliterals are then handed to dedicated solvers for theory reasoning. These solvers are complete.Adding a new theory to the framework is a complex and time consuming task that requiresinternal knowledge of the solver. For some theories however, it is possible to give a first-orderaxiomatization. Unfortunately, even if a few SMT solvers also handle first-order formulas, forexample, Simplify [6], CVC3 [9], Z3 [5] and Alt-Ergo [2], these axiomatizations cannot be usedas theories. Indeed, these solvers are not complete when quantifiers are involved, even in theabsence of theory reasoning.

SMT solvers handle universal quantifiers through an instantiation mechanism. They main-tain a set of ground formulas (without quantifiers) on which theory reasoning is done. This setis periodically augmented by heuristically chosen instances of universally quantified formulas.

The heuristics for choosing new instances differ between SMT solvers. Nevertheless, it iscommonly admitted that user guidance is useful in this matter [6, 12]. The choice of instancescan be influenced by manually adding instantiation patterns, also known as triggers. Thesepatterns are used to restrict instantiation to known terms that have a given form. Here is anexample of a universally quantified formula with a trigger in SMT-LIB [1] notation:

(forall ((x Int)) (! (= (f x) c) :pattern ((g x))))


Reasoning with Triggers C. Dross, S. Conchon, J. Kanig, A. Paskevich

The syntax for triggers includes a bang (a general syntax for annotating formulas) before therestricted formula (= (f x) c) and the keyword :pattern to introduce the trigger (g x). Thecommonly agreed meaning of the above formula can be stated as follows:

Assume (= (f t) c) only for terms t such that (g t) is known.

Intuitively, a term is known when it appears in a ground fact assumed by the solver. However,that rule is quite vague and does not include answers to the following questions: when does aterm become known? Is that notion to be considered modulo equality and modulo the built-in theories, and finally, when is this rule applied exactly, and to which formulas? Differentprovers have found different answers to these questions, consequence of the fact that triggersare considered a heuristics and not a language feature with precise semantics.

We give a proper semantics for first-order formulas with triggers. In this semantics, instan-tiation of universally quantified formulas is restricted to known terms. This makes it possibleto extend a generic SMT solver so that it behaves as a decision procedure on an axiomatizationrepresenting a custom theory, provided the theory is complete in our framework. This enablesnon-expert users to add their own decision procedure to SMT solvers. Unlike first-order axiom-atization in SMT solvers handling quantifiers, a proof of completeness and termination of thedecision procedure can be attempted and, unlike manual implementation of decision proceduresinside SMT solvers, it does not require internal knowledge of the solver.

In Sect. 2, we introduce a formal semantics for first-order logic with a notation for instanti-ation patterns that restrict instantiation. It formalizes both the notion of trigger and the dualnotion of known term. We show that this extension of first-order logic is conservative: formulaswithout triggers preserve their satisfiability under this semantics. We present in Sect. 3 a the-oretical way of extending a generic ground SMT solver so that it can turn an axiomatization Twith triggers into a decision procedure, provided that T has some additional properties. Finally,in Sect. 4, we demonstrate on the non-extensional theory of arrays how our framework can beused to demonstrate that an axiomatization with triggers indeed fulfills its requirements.

Related Work. Triggers are a commonly used heuristic in SMT solvers that handle quan-tifiers. User manuals usually explain how they should be used to achieve the best perfor-mance [6, 12, 9]. Triggers can be automatically computed by the solvers. A lot of work hasalso been done on defining an efficient mechanism for finding the instances allowed by a trig-ger. These techniques, called E-matching, are described in [6, 13] for Simplify, in [4] for Z3,and in [9] for CVC3. Other heuristics for generating instances include model-based quantifierinstantiation [8] and saturation processes closed to the superposition calculus [3].

In this paper, triggers are not handled in the usual manner. On the one hand, since SMTsolvers are not complete in general when quantifiers are involved, they favor efficiency overcompleteness in the treatment of triggers. For example, they usually do not attempt to matchtriggers modulo underlying theories. On the other hand, in our framework, triggers are used todefine theories, and they need therefore to be handled in a complete way.

Triggers can also be used in complete first-order theorem provers to guide the proof searchand improve the solver’s efficiency. This is done on a complete solver for a subset of first-orderlogic with linear arithmetics based on a sequent calculus in [14].

As for using an SMT solver as a decision procedure, the related idea that a set of first-orderformulas can be saturated with a finite set of ground instances has been explored previously. Forexample, in [10], decision procedures for universally quantified properties of functional programsare designed using local model reasoning. In the same way, Ge and de Moura describe fragmentsof first-order logic that can be decided modulo theory by saturation [8]. Both of these works

23


JF1 ∧ F2K± , JF1K± ∧ JF2K± J〈t〉 F K± , known(T (t)) ∧ JF K±

JF1 ∨ F2K± , JF1K± ∨ JF2K± J[t] F K± , known(T (t))→ JF K±

J∀x. F K± , ∀x. known(x)→ JF K± J∃x. F K± , ∃x. known(x) ∧ JF K±

J¬F K+ , ¬JF K− J¬F K− , ¬JF K+

JAK+ , known(T (A))→ A JAK− , known(T (A)) ∧A

Figure 1: Semantics of FOL?-formulas (J K± denotes either J K+ or J K−)

define a restricted class of universally quantified formulas that can be finitely instantiated. Wedo not impose such restrictions a priori but rather require a dedicated proof of completeness.

2 First-Order Logic with Triggers and Witnesses

In this section, we extend classical first-order logic, denoted FOL, with constructions to specifyinstantiation patterns and known terms. The semantics of this extension, denoted FOL?, isdefined through an encoding into usual first-order logic. In the rest of the article, we writeformulas in standard mathematical notation.

2.1 Syntax

Informally, a trigger is a guard that prevents the usage of a formula until the requested termis known. We write it [t]F , which should be read if the term t and all its sub-terms are knownthen assume F . Note that we do not require a trigger to be tied to a quantifier. We separatethe actual instantiation of a universal formula from the decision to use its result.

A dual construct for [t] F , which we call witness, is written 〈t〉 F and is read assume that theterm t and all its sub-terms are known and assume F . This new construction explicitly updatesthe set of known terms, something for which there is no proper syntax in existing languages.

The extended syntax of formulas can be summarized as follows:

F ::= A | F1 ∧ F2 | F1 ∨ F2 | ∀x. F | ∃x. F | 〈t〉 F | [t] F | ¬F

We treat implication (→) and equivalence (↔) as abbreviations, in a standard fashion.

2.2 Denotational Semantics

We define the semantics of our language via two encodings J K+ and J K− into first-order language,given in Fig. 1. The notation J K± is used when the rule is the same for both polarities andthe polarity of the sub-formulas does not change. We introduce a fresh unary predicate symbolknown which denotes the fact that a term is known. Given a term t or an atomic formula A, wedenote with T (t) (respectively, T (A)) the set of all the non-variable sub-terms of t (resp. A).The expression known(T (t)) stands for the conjunction

∧t′∈T (t) known(t′).

We require universally quantified formulas to be instantiated with known terms. This isconsistent with the standard use of triggers: indeed, SMT solvers require (or compute) a triggercontaining each quantified variable for every universal quantifier. Then every term that replacesa universally quantified variable is necessarily known, since sub-terms of a known term are

24


known, too. Dually, every existentially quantified variable is assumed to be known. This isnecessary in order to allow instantiation with a witness from an existential formula.

To maintain the invariant that the sub-terms of a known term are also known, our inter-pretation of 〈t〉 F implies the presence of every non-variable sub-term of t (the presence ofvariables is assured by interpretation of the quantifiers). Dually, [t] F requires the presence ofevery non-variable sub-term of t; due to the mentioned invariant, this is not a restriction.

Finally, whenever we encounter an atomic formula, regardless of its polarity, we assume thepresence of its sub-terms. This is also in agreement with the standard use of triggers.

We define entailment in FOL? as follows:

F `? G , known(ω), JF K− ` JGK+

where ω is an arbitrary fresh constant supposed to be known a priori, and ` stands for entail-ment in FOL.

A peculiar aspect of FOL? is the cut rule is not admissible in it. Indeed, one cannot prove∀x . [f(x)] P (f(x)), ∀x . [f(g(x))] (P (f(g(x))) → Q(x)) `? Q(c), since the term f(g(c)) is notknown and neither of the premises can be instantiated. However, Q(c) is provable via anintermediate lemma P (f(g(c)))→ Q(c).

2.3 Example

Consider the following set of formulas R from the previous section:

R = f(0) ≈ 0, f(1) 6≈ 1, ∀x.[f(x + 1)] f(x + 1) ≈ f(x) + 1

We want to show that R is unsatisfiable in FOL?, that is to say, R `? ⊥. By definition, wehave to prove that known(ω), JRK− ` ⊥.

JRK− =

known(T (f(0) ≈ 0)) ∧ f(0) ≈ 0,

known(T (f(1) 6≈ 1)) ∧ f(1) 6≈ 1,

∀x. known(x)→ known(T (f(x + 1)))→known(T (f(x + 1) ≈ f(x) + 1)) ∧ f(x + 1) ≈ f(x) + 1

The set of formulas JRK− is unsatisfiable in first-order logic with arithmetic. Therefore, in

our framework, the initial set R is unsatisfiable.

2.4 The Extension of First-Order Logic is Conservative

Even if a formula does not contain triggers or witnesses, our encoding modifies it to restrictinstantiation of universal formulas. However, it preserves satisfiability of formulas in classicalfirst-order logic with equality.

Theorem 2.1 (Soundness). For every first-order formula F , if we have F `? ⊥, then we alsohave F ` ⊥.

Proof. Since known is a fresh predicate symbol, for every model M of F , there is a model M ′

of F such that M ′ only differs from M in the interpretation of known and M ′ ` ∀x.known(x).By immediate induction, (∀x.known(x))∧F ` JF K−. As a consequence, M ′ is a model of JF K−and F 6`? ⊥. Thus, by contra-position, if F `? ⊥ then there is no model of F and F ` ⊥.

Theorem 2.2 (Completeness). For any first-order formula F , if F ` ⊥ then F `? ⊥.

The proof, based on inference trees in a certain paramodulation calculus, can be found inthe technical report [7].

25


3 Adding a Customizable Theory to a SMT Solver forGround Formulas

In this section, we define a wrapper over a generic SMT solver for ground formulas that acceptsa theory written as a set of formulas with triggers. This solver is a theoretical model and it isnot meant to be efficient. We prove it sound with respect to our framework.

It is easy to show that conversion to NNF does not change the semantics of a FOL?-formula.

Definition 3.1. We define a skolemization transformation SkoT for FOL?-formulas in negativenormal form. Given a formula F = ∃x.G, we have SkoT (F ) , 〈c(y)〉 SkoT (G[x ← c(y)]),where y is the set of free variables of F , and c is a fresh function symbol.

We put the witness 〈c(y)〉 to preserve satisfiability. Indeed, Sko(∃x. [x]⊥) is [c]⊥ whichis satisfiable, while ∃x. [x]⊥ is not. In the following, we work with FOL?-formulas in Skolemnegative normal form.

3.1 A Solver for Ground Formulas

To reason about FOL?-formulas, we use a solver S for ground formulas.

Definition 3.2. We denote implication over ground formulas with theories ò to distinguish itfrom implication in first-order logic with theories `.

We make a few assumptions about the interface of the ground solver S:

• It returns Unsat(U) when called on an unsatisfiable set of ground formulas R where U isan unsatisfiable core of R. We assume that U is a set of formulas that occur in R suchthat R ò U and U ò ⊥.

• It returns Sat(M) when called on a satisfiable set of ground formulas R where M is amodel of R. We assume that M is a set of literals of R such that M ò R.

We write R S Unsat(U) (resp. R S Sat(M)) to express that the solver S returns Unsat(U)(resp. Sat(M)) when launched on a set of ground formulas R.

3.2 Deduction Rules for First-Order Formulas with Triggers

The solver Lift(S) takes a set of formulas with triggers T and a set of ground formulas S asinput and decides whether S is satisfiable modulo T . It is constructed on top of a solver forground formulas S and works on a set of ground formulas R that is augmented incrementally.While the solver S returns a model M of R, new facts are deduced from M and added to R.

The set R initially contains the formulas from the input S as well as those from the theoryT where literals, quantified formulas, and formulas with triggers or witnesses are replaced by

fresh atoms. The atom replacing a formula F is written F and is called a protected formula.

Definition 3.3. We say that a model M produces a pair F, t of a formula F and a term t ifeither F is the atom > and there is a literal L in M from S such that t ∈ T (L), F is a protected

witness 〈s〉 G ∈M and t ∈ T (s), or F a protected literal L ∈M and t ∈ T (L). We write it

M ↑ F, t.

26


The following deduction rules are used to retrieve information from the protected formulasof a model M :

Pos Unfold

〈t〉 F ∈M

〈t〉 F → F

Lit Unfold

L ∈M

L → L

Neg Unfold

[t] F ∈M M ↑ G, t′ M ∪ t 6≈ t′ S Unsat(U ∪ t 6≈ t′)

[t] F ∧G ∧ U → F

Inst

∀x. F ∈M M ↑ G, t M ∪ ¬F [x← t] S Sat(M ′)

∀x. F ∧G→ F [x← t]

Rule Inst adds to R an instantiation of a universal formula with a known term. It isrestricted by the premise M ∪¬F [x← t] S Sat(M ′) so that it does not instantiate a quan-tified formula if the result of the instantiation is already known. Rule Pos Unfold (resp. LitUnfold) unfolds formulas with witnesses (resp. literals). Rule Neg Unfold removes a triggerwhen it is equal to a known term. Note that every deduction rule returns an implication: in amodel where, say, 〈t〉 F is not true, F does not need to be true either.

The solver for FOL?-formulas Lift(S) returns Unsat on R, as soon as S returns Unsat onthe current set of formulas. It returns Sat on R if the ground solver S returns a model M fromwhich nothing new can be deduced by the above deduction rules.

Here is an example of execution of the solver Lift(S) on the set of ground formulas S modulothe theory T :

S = f(0) ≈ 0, f(1) 6≈ 1T = ∀x.[f(x + 1)] f(x + 1) ≈ f(x) + 1

Let us show how the solver Lift(S) can deduce that

R0 =

f(0) ≈ 0, f(1) 6≈ 1,

∀x.[f(x + 1)] f(x + 1) ≈ f(x) + 1

is unsatisfiable.

1. The ground solver returns the only possible model M0 of R0, namely R0 itself. Sincef(0) ≈ 0 ∈M0, M0 produces the pair>, 0. As a consequence, the rule Inst can instantiatex with 0 in the universal formula:

R1 = R0 ∪

∀x. [f(x + 1)] f(x + 1) ≈ f(x) + 1 ∧ > →[f(0 + 1)] f(0 + 1) ≈ f(0) + 1

2. The solver returns the model M1 = M0 ∪ [f(0 + 1)] f(0 + 1) ≈ f(0) + 1 of R1. Since

f(1) 6≈ 1 ∈ M1, M1 produces the pair >, f(1). Based on results from the theory ofarithmetics, the ground solver can deduce that f(0 + 1) 6≈ f(1) is unsatisfiable. Thus therule Neg Unfold can add another formula to R1:

R2 = R1 ∪

[f(0 + 1)] f(0 + 1) ≈ f(0) + 1 ∧ > →f(0 + 1) ≈ f(0) + 1

27


3. The ground solver returns the model M2 = M1 ∪ f(0 + 1) ≈ f(0) + 1 of R2. The rule

Lit Unfold can now unfold the protected literal f(0 + 1) ≈ f(0) + 1 :

R3 = R2 ∪ f(0 + 1) ≈ f(0) + 1 → f(0 + 1) ≈ f(0) + 1

4. Any model of R3 contains f(0 + 1) ≈ f(0) + 1, f(0) ≈ 0 and f(1) 6≈ 1. The ground solverreturns Unsat( ) on R3. As expected, the initial set S is reported to be unsatisfiablemodulo T .

3.3 Properties

In this section, we prove that our solver is sound and complete on a particular class of axiomatics.In the following section, we demonstrate on an example how our framework can be used to checkthat a given axiomatics is in this class.

Completeness We say that a set of formulas with triggers T is complete if, for every finite setof literals G, JG ∪ T K− and G ∪ T , triggers being ignored, are equisatisfiable in FOL.

Termination We say that a set of formulas with triggers T is terminating if, from every finiteset of literals G, there can only be a finite number of instances of formulas of T . In ourframework, we enforce three rules to enable reasoning about termination:

• instantiation is always done with known terms

• new known terms cannot be deduced if they are protected by a trigger

• an instance of a formula F with a term t is not generated if an instance of F hasalready been generated with t′ equal to t.

Our solver is sound and complete if it works modulo a complete and terminating theory T :

Theorem 3.1. If Lift(S) returns Unsat on a set of ground formulas S modulo a theory T thenS ∪ T , triggers being ignored, is unsatisfiable in FOL.

Theorem 3.2. If Lift(S) returns Sat on a set of ground formulas S modulo a complete theoryT then S ∪ T , triggers being ignored, is satisfiable in FOL.

Theorem 3.3. If the theory T is terminating, then the solver Lift(S) will terminate on anyset of ground literal S.

The proofs of these three theorems may be found in the technical report [7].

4 Completeness and Termination of a theory

Within our framework, we can reason about a theory T written as a set of formulas withtriggers and demonstrate that it has the requested properties for our solver Lift(S) to be soundand complete. This section demonstrates how it can be done on an axiomatization of thenon-extensional theory of arrays.

We show that Greg Nelson’s proof of completeness for his decision procedure for arrays [13]can be turned into a proof of completeness of our solver on an axiomatization with carefullychosen triggers. Another example is given in the technical report [7]. For terms a, x and v,

28


we write access(a, x) the access in the array a at the index x and update(a, x, v) the update ofthe array a by the element v at the index x. The following set of first-order formulas T is anaxiomatization of the classical theory from McCarthy:

∀a, x, v. [update(a, x, v)] access(update(a, x, v), x) ≈ v (1)

∀a, x1, x2, v. [access(update(a, x1, v), x2)] x1 6≈ x2 →access(update(a, x1, v), x2) ≈ access(a, x2) (2)

∀a, x1, x2, v. [access(a, x2)] [update(a, x1, v)] x1 6≈ x2 →access(update(a, x1, v), x2) ≈ access(a, x2) (3)

Note that (2) and (3) are in fact duplications of the same first order formula with differenttriggers1. Both of them are needed for completeness. For example, without (2) (resp. (3)), theset of formulas y 6≈ x, access(update(a, y, v1), x) 6≈ access(update(a, y, v2), x) (resp. the setof formulas y 6≈ x, access(a1, x) 6≈ access(a2, x), update(a1, y, v) = update(a2, y, v)) cannotbe proven unsatisfiable.

We prove that this axiomatics is complete and terminating.

Termination: If G is a set of ground literals, there can only be a finite number of instancesfrom G and T . From (1), at most one access term access(update(a, x, v), x) can be created perupdate term update(a, x, v) of G. No new update term can be created, so there will be onlyone instantiation of (1) per update term of G. Equations (2) and (3) can create at most oneaccess term per couple comprising an index term (sub-term of an access term at the rightmostposition) and an update term. We deduce that at most one term per couple comprising theequality classes of an index term and an update term of G can be deduced.

Completeness: The set of formulas T gives a complete axiomatics. We prove that for everyset of ground formulas G such that JG ∪ T K− is satisfiable, JG ∪ T K− ∪ ∀t.known(t) is alsosatisfiable. Since assuming known(t) for every term t removes triggers and witnesses, thisshows that G ∪ T is satisfiable, triggers being ignored.

The proof is similar to the proof of Greg Nelson’s decision procedure for arrays [13]. Wefirst define the set of every array term a′ such that access(a′, x) is equated to a given termaccess(a, x) by (2) or (3):

Definition 4.1. For a set of formulas S and two terms a and x known in S, we define the setSa,x to be the smallest set of terms containing a and closed by

(i) if a′ ∈ Sa,x then every known term update(a′, y, v) such that S 0 y ≈ x is in Sa,x and

(ii) for every term update(a′, y, ) ∈ Sa,x, if S 0 y ≈ x then a′ is in Sa,x.

We now prove that, for every access or update term t, if S is a satisfiable set of groundformulas saturated by T then it can be extended to another satisfiable set S′ saturated by Tthat contains t = t. Since, by definition of J K−, Jt = tK− is equivalent to

∧t′∈T (t) known(t), this

is enough to have the completeness of T .This proof is an induction over the size of t. We assume that every sub-term of t has already

been added. If known(t) is already implied by JSK−, then we are done. If t is neither an accessnor an update term, then assuming the presence of t does not allow any new deduction.

1Most provers have a dedicated syntax for using several triggers for the same axiom.

29


Assume t is an update term update(a, x, v). With the presence of t, (1) deduces the literalaccess(t, x) ≈ v. This cannot lead to an inconsistency since nothing can be known about totherwise t would be known in JSK−. Equations (2) and (3) deduce access(t, y) = access(a′, y)for all terms a′ and y such that JSK− ` known(access(a′, y)) and t ∈ Sa′,y. Like the first one,this deductions cannot cause an inconsistency. The new set S′ obtained by adding these literalsto S is saturated by T . Indeed, if it is not, one of the formulas of T can deduce something thatis not in S′. It cannot be (1) since we have applied it to the only new update term of S′. If itis (2) or (3) then it comes from a term access(a′, y) ∈ S′ and S′t,y = S′a′,y. By construction ofS′, the result is in S′.

Assume t is an access term access(a, x). With the presence of t, (2) and (3) deduce t =access(a′, x) for every a′ ∈ Sa,x. This deduction cannot cause an inconsistency. Indeed, nothingcan be known about access(a′, x) otherwise t would have been known in S by (2) and (3). Thenew set S′ obtained by adding these literals to S is saturated by T . Indeed, if it is not, oneof the formulas of R can deduce something that is not in S′. It cannot be (1) since there isno new update term in S′. If it is (2) or (3) then it comes from a term access(a′, y) ∈ S′ andS′a,y = S′a′,y. By construction of S′, the result is in S′.

5 Conclusion

We have presented a new first-order logic with a syntax for triggers and given it a clear semantics.We have shown that a solver accepting a theory written as a set of formulas with triggers Tcan be implemented on top of an off-the-shelf SMT solver, and we have identified propertiesrequested from T for the resulting solver to be sound and complete on ground formulas. Finally,we have demonstrated, on the non-extensional theory of arrays, that our framework can be usedto prove that a theory expressed as a set of first-order formulas with triggers indeed has therequested properties.

In future work, we would like to integrate our technique of quantifier handling directly insidea DPLL(T)-based solver. Once a solver implementing our semantics exists, a static analysiscould be done to detect too restrictive or too permissive axiomatizations, and matching loops.We believe that such an analysis will help theory designers avoid common pitfalls when writingaxiomatizations.

References

[1] Clark Barrett, Aaron Stump, and Cesare Tinelli. The SMT-LIB standard version 2.0. Technicalreport, University of Iowa, december 2010.

[2] Francois Bobot, Sylvain Conchon, Evelyne Contejean, and Stephane Lescuyer. Implementingpolymorphism in SMT solvers. In SMT’08, volume 367 of ACM ICPS, pages 1–5, 2008.

[3] L. de Moura and N. Bjørner. Engineering dpll (t)+ saturation. Automated Reasoning, pages475–490, 2008.

[4] Leonardo de Moura and Nikolaj Bjørner. Efficient E-matching for SMT solvers. CADE’07, 2007.

[5] Leonardo de Moura and Nikolaj Bjørner. Z3: An efficient SMT solver. TACAS, 2008.

[6] David Detlefs, Greg Nelson, and James B. Saxe. Simplify: a theorem prover for program checking.J. ACM, 52(3):365–473, 2005.

[7] Claire Dross, Sylvain Conchon, Johannes Kanig, and Andrei Paskevich. Reasoning with triggers.Research Report RR-7986, INRIA, June 2012.

30


[8] Y. Ge and L. De Moura. Complete instantiation for quantified formulas in satisfiabiliby modulotheories. In Computer Aided Verification, pages 306–320. Springer, 2009.

[9] Yelting Ge, Clark Barrett, and Cesare Tinelli. Solving quantified verification conditions usingsatisfiability modulo theories. CADE, 2007.

[10] Swen Jacobs and Viktor Kuncak. Towards complete reasoning about axiomatic specifications. InProceedings of VMCAI, pages 278–293. Springer, 2011.

[11] S. Lahiri and S. Qadeer. Back to the future: revisiting precise program verification using smtsolvers. In ACM SIGPLAN Notices, volume 43, pages 171–182. ACM, 2008.

[12] Michal Moskal. Programming with triggers. Proceedings of the 7th International Workshop onSatisfiability Modulo Theories, pages 20–29, 2009.

[13] Greg Nelson. Techniques for program verification. Technical Report CSL81-10, Xerox Palo AltoResearch Center, 1981.

[14] P. Rummer. E-matching with free variables. 2012.

31

SMT-Based System Verification with DVFAmit Goel, Sava Krstic, Rebekah Leslie, Mark R. Tuttle

Intel Corporation

Abstract

We introduce the Deductive Verification Framework (DVF ), a language and a tool forverifying properties of transition systems. The language is procedural and the systemtransitions are a selected subset of procedures. The type system and built-in operationsare consistent with SMT-LIB, as are the multisorted first-order logical formulas that mayoccur in DVF programs as pre- and post-conditions, assumptions, assertions, and goals. Atemplate mechanism allows parametric specification of complex types within the confinesof this logic. Verification conditions are generated from specified goals and passed to SMTengine(s). A general assume-guarantee scheme supports a thin layer of interactive proving.

1 Introduction

This paper introduces the Deductive Verification Framework (DVF ), a language and automatedproof-checker for the specification and verification of transition systems. In DVF , systems andtheir properties are modeled in an expressive language that enables a clean and efficient mappingof proof obligations into the multisorted first-order logic supported by modern SMT solvers.The design of the language and the automation from SMT solvers make DVF arguably easierto use than interactive theorem provers, while making it possible for us to verify systems thatare out of the reach of model checkers.

Over the last decade, research and validation groups at Intel have performed “high-levelmodeling” for several interesting examples, where protocols or architectural features were mod-eled, debugged, and verified in Murφ [9] or TLA+/TLC [12]. In both, transitions are conve-niently presented as guarded commands. In our own experience, Murφ’s procedural style wasmost often fitting; however, its set of available types was constricting, and the state space ofour models too large for Murφ (or other model checkers) to fully explore.

When more naturally presented with datatypes such as sets, multisets and sequences, ourmodels became more amenable to Hoare-style reasoning, but the hand-proofs of the generatedverification conditions were large and ungainly—hardly counting as reliable proofs, despite theirmathematical shallowness. Thus, a Hoare-style program analyzer supported by SMT-basedproving of the generated conditions seemed to be better suited for our needs. From the class ofexisting tools of this kind, we picked Why [11] to experiment with. It worked on small examples,but was not a perfect fit. Why, like other tools in its class, is designed for analysis of traditionalprograms; our rule-based transition system descriptions required inelegant rewriting to becomeinputs for Why. Additionally, we were stymied by artifacts of the semantic translation(s) usedby Why to create verification conditions for SMT from the source program and propertiesdescribed in a polymorphic language.

We designed DVF to overcome these difficulties. We strived for clarity and for keeping thesemantic gap between our language and SMT-LIB small in order to minimize the translationaloverhead and to use SMT solvers efficiently. Our support for Hoare-style and assume-guaranteereasoning sets the foundation for further development of interactive proving features. Finally,DVF is conceived as a framework that will include additional tools such as simulators andmodel checkers.

In this paper, we present the language and the tool on simple examples, but we haveapplied it to verify sizable cache-coherence and consensus protocols as well. In our industrial


The Deductive Verification Framework A. Goel, S. Krstic, R. Leslie, and M. R. Tuttle

setting, DVF has been successfully used to reason about security properties of instruction-levelarchitectural features. In an ongoing project, DVF is also being used to model and verifycomplex system-on-chip boot flows.

The basic DVF language is explained in the following section. The form and use of templatesare discussed in Section 3, and Section 4 expounds on proof decomposition in the assume-guarantee style.

2 The DVF Language

Listing 1 shows a DVF program that models a mutual exclusion algorithm. DVF providesa simple procedural programming language for guarded transition systems. Procedures maybe annotated with pre- and post-conditions. A DVF program can additionally be sprinkledwith assertions, assumptions, and goal declarations. All of these formulas are written in amultisorted first-order logic.

Listing 1 A two-process mutual exclusion algorithm

1 type process = enum n1, n2type processes = array(process, bool)

const processes empty =mk array[process](false)

6

const process other(process n) =n=n1 ? n2 : n1

var process turn11 var processes want = empty

var processes critical = emptydef bool my turn(process n) = turn = n

proc unit set critical(process n, bool v)16 ensure (critical[n]=v)critical := store(critical, n, v);return ();

21 transition req critical(process n)require (¬want[n])want[n] := true;

transition enter critical(process n)26 require (want[n])

require (¬critical[n])require (my turn(n))call set critical(n,true);

31 transition exit critical (process n)require (critical[n])call set critical(n,false);want[n] := false;turn := other(n);

36

def bool mutex =¬(critical[n1] ∧critical[n2])

41 goal g0 = invariant mutex

def bool aux =∀(process n)

(critical[n]⇒my turn(n))46

goal g1 = invariant (mutex ∧aux)

The state space of the transition system is defined by the global (state) variables. Initialstates of the system are defined by initial values assigned to the state variables. Some proceduresin the program are marked as transitions; the system can transition from a state s to a state s′

if and only if one of the procedures marked as a transition leads from s to s′. The rest of thissection describes the language in more detail.

33


2.1 Types and Expressions

Booleans, mathematical integers and fixed-size bit-vectors are built-in, with their usual oper-ators [2]. DVF also has the unit type, with the single value (), and tuples, with projectionoperators as in (1,true,3)#3 = 3. Arrays parametrized over their domain and range are alsosupported, with the read operator as in the expression want[n], and the write operator as instore(critical,n,v). In addition, arrays come equipped with a mk array constructor: for exam-ple, mk array[process m](m=n) can be used to characterize the set containing the single elementn, and mk array[process](false) is the array mapping all processes to false. Since it can rep-resent arbitrary functions as arrays, mk array is not supported by array decision procedures.For compilation to SMT problems, we introduce a fresh constant for each mk array term, andadd a quantified assertion to specify its behavior; thus, the term mk array[process](false) wouldgenerate the assertion ∀(process n)(k[n]=false), where k is fresh.

We can also declare enumerations, records, sums, and uninterpreted types. The unin-terpreted types are useful for under-specification and for defining new types via axioms thatconstrain operations on the type. (For example, the type of naturals with the zero constant andthe successor operator could be introduced this way.) Records are constructed by simultaneousassignment to all fields or by updating some of the fields of an existing record; record fieldsare accessed using dot notation. Sums are deconstructed using (exhaustive) match expressions.Since SMT solvers with support for sum types (or, more generally, algebraic data types) typi-cally provide constructors and selectors, we compile pattern matches into variable bindings andexpressions using those operators.

Expressions in DVF are pure and statically typed. The language is designed to enablesimple type inference. In keeping with this desire, enumerations, records and sums are typednominally. We require annotations wherever it would not be possible to infer the type, say inmk array[process](false) to specify the type of the domain.

All of the built-in DVF types and operators (with some translation as mentioned above)are supported by SMT solvers such as CVC3 [3], Yices [10] and Z3 [8].

2.2 Variables, Constants and Definitions

A DVF program’s global variables define the state of the transition system being modeled. Vari-able initialization serves to describe the initial state(s) of the system, with the understandingthat when the initial value for a variable is not specified, it can be arbitrary. Thus, in List-ing 1, want is initialized to empty and turn can initially be either n1 or n2. In addition to globalvariables, we can use local variables as temporary stores inside procedures and transitions.

The const keyword introduces constants and (total) functions. See lines 4-5 and 6-7 inListing 1 for examples of constant and function declarations. Constants and functions do notneed to be defined; much like uninterpreted types, uninterpreted constants and functions areuseful for under-specification and for specifying behavior with axioms.

The def keyword is used to define state predicates and other functions that take the systemstate as an implicit argument. Note that the function my turn defined on line 13 of Listing 1uses the state variable turn in its definition without having it as an explicit argument. We treatdefs as macros to be inlined at points of use.

2.3 Statements, Procedures and Transitions

DVF offers a standard set of statements: assignments, conditionals, while loops (annotatedwith loop invariants), procedure calls and returns. Statements may be grouped into blocks

34


with local variables. The examples

turn := other(n); want[n] := true; cache[i].c state := invalid; x[31:16] := y[15:0];

show assignments to a variable, a single array element, individual record field, and a bit-rangein a bit-vector. The last three forms are syntactic sugar; for example want[n] := true abbreviateswant := store(want,n,true). Parallel assignment via pattern matching on tuples is allowed, as in(x,y) := (y,x). In common with languages like Boogie [14], we have assert, assume and non-deterministic assignment statements.

Procedures take a (possibly empty) list of typed arguments and have a return type; whenthe return type is omitted, it is assumed to be unit. All paths in a procedure must have a returnstatement unless the return type is unit, in which case a return () is implicitly assumed. Thekeywords require and ensure are used to annotate procedures with preconditions and postcon-ditions. In postconditions, result refers to the procedure’s returned value.

Transitions are procedures that are identified as such. The system executes transitionsatomically, choosing non-deterministically from transitions whose requirements are satisfied bythe current state for some choice of argument values. A system can transition from the states to the state s′ if and only if one of the procedures marked as a transition is enabled in s forsome values of its arguments, and when executed with these values, it terminates in s′.

2.4 Goals

A program in DVF entails a set of proof obligations, arising from the use of assert statements,require and ensure clauses, as well as from explicitly specified goals, as described below.

We can ask DVF to prove the logical validity of formulas. State variables may occur insuch formulas, in which case the validity of the formula establishes the property for all states,reachable or not. For example, a lemma in our proof of the German cache-coherence protocolfrom [5] is stated as follows.1

def bool coherence thm =∀(node i, node j)

(i 6=j ∧cache[i].c state = exclusive⇒cache[j].c state = invalid)

def bool coherence cor =∀(node i, node j)

(i 6=j ∧cache[i].c state=shared⇒cache[j].c state = invalid ∨cache[j].c state = shared)

goal thm implies cor = formula (coherence thm⇒coherence cor)

For a procedure or transition τ with arguments a1, . . . , an, we can write Hoare triplesθτ(e1, . . . , en)φ, where the triple stands for θ ⇒ wlp(τ [e1/a1, . . . , en/an], φ) and wlp isthe weakest-liberal precondition. For example, memory integrity could be specified with thethree triples:

goal wr1 = true write(i,v) mem[i]=vgoal wr2 = mem[i]=v ∧i 6=j write(j, v’) mem[i]=vgoal rd = mem[i]=v read(i) result=v

In triples, the arguments to the procedure may be omitted, in which case the condition ischecked for all possible argument values.

1The proof needs the fact that caches can be in one of three states, invalid, shared or exclusive. See Appendix Afor the DVF encoding of the protocol and proof of coherence thm.

35


The DVF goal initially φ states that φ is true in all initial states, and invariant φ statesthat φ is true in all reachable states. DVF attempts to prove invariants inductively. Thus,proving the goal g0 on line 41 of Listing 1 reduces to the proof obligations initially mutex,mutexreq criticalmutex, mutexenter criticalmutex, and mutexexit criticalmutex. Often, theinvariants we want to prove are not inductive; in our example, mutexenter criticalmutex is notvalid. In such cases we interactively strengthen the invariant until it does become inductive.Strengthening mutex with an auxiliary property aux (line 42) creates mutex ∧aux, which is in-ductive and goal g1 in Listing 1 is easily discharged. In Section 4, we will describe the supportDVF provides for managing invariance proofs for larger systems.

3 Axioms and Parametrized Templates

Consider modeling a reference counting system, where there is a set of resources (with a specialnull resource) and a set of processes, each with a pointer to a resource. The system may allocatea free resource, at which point the resource becomes valid. A valid resource may be referencedby a process whose pointer is then set to the resource, and the resource’s reference counter goesup by 1. Processes may subsequently dereference the resource they point to, at the same timedecrementing the counter for the resource. Finally, a resource with a count of 0 may be freedby the system, setting its status to invalid. A DVF model of this system is shown in Listing 2.

Listing 2 Reference counting

type processtype resourceconst resource null

5 var array(resource, int) countvar array(resource,bool) valid =

mk array[resource](false)var array(process, resource) ptr =

mk array[process](null)10

transition alloc(resource r)require (r 6=null)require (¬valid[r])valid[r] := true;

15 count[r] := 0;

transition ref(process p, resource r)require (valid[r])

20 require (ptr[p] = null)ptr[p] := r;count[r] := count[r] + 1;

25 transition deref(process p)require (ptr[p] 6=null)var resource r = ptr[p];ptr[p] := null;count[r] := count[r] − 1;

30

transition free(resource r)require (valid[r])require (count[r] = 0)

35 valid[r] := false;

def bool prop =∀(process p)

(ptr[p]6=null⇒valid[ptr[p]])40

def bool refs non zero =∀(process p)

(ptr[p]6=null⇒count[ptr[p]] > 0)

45 goal g0 = invariant prop

goal g1 = invariant (prop ∧refs non zero)

We want to verify a basic property: if a process points to a non-null resource, then thatresource must be valid.

36


It turns out that this property is not inductive; in particular, one cannot prove the goalpropfreeprop. Insight into the failing proof leads to the consideration of an auxiliary property,refs non zero, which states that the reference count of a resource cannot be 0 if there is a processpointing to it. Attempting to prove the strengthened invariant (the conjunction of the twoproperties), we soon realize that it would be convenient to track the set of processes pointingto a resource, and to show that the cardinality of this set is equal to the reference count of theresource.

DVF does not provide a built-in type for sets. We could represent sets using arrays thatmap elements to Booleans (e.g., valid in Listing 2), but that would still leave us wanting for acardinality operator. Instead, we introduce a new type for sets, as well as constants for theempty set, set membership, adding and removing an element from a set, and cardinality. Wethen write axioms that constrain the behavior of these constants. At this point, crucially, wewish for some sort of parametricity to avoid having to encode sets for each new element type.

Typically, and perhaps most naturally, parametricity is introduced via polymorphic typeconstructors in the language. However, this creates a discrepancy with the non-polymorphiclogic of SMT solvers and would necessitate a logical translation between the front and the backend of the tool. This complication is avoided in DVF by the use of a template construct.Listing 3 shows the encoding of sets, parametrized by the type of elements, that we use inthe next section to complete the proof of our reference counting example. In general, DVFtemplates may be parametrized by types and values; for instance, a template for boundedqueues might include the type of elements and the depth of the queue as parameters. Templatesare instantiated by modules where all parameters are replaced with concrete types and values.Thus, every DVF system description is essentially monomorphic, matching the SMT-LIB logic.

Listing 3 Sets with cardinality

template <type elem> Set// Signaturetype set

5 const set emptyconst bool mem (elem x, set s)const set add (elem x, set s)const set del (elem x, set s)const int card (set s)

10

// Axioms for set membershipaxiom mem empty =∀(elem e)

(¬mem(e,empty))15

axiom mem add =∀(elem x, elem y, set s)

(mem(x,add(y,s)) = (x=y ∨mem(x,s)))

20 axiom mem del =∀(elem x, elem y, set s)

(mem(x,del(y,s)) = (x6=y ∧mem(x,s)))

// Axioms for cardinality25 axiom card empty =

card(empty) = 0

axiom card zero =∀(set s)

30 (card(s)=0⇒s = empty)

axiom card non negative =∀(set s)

(card(s) ≥0)35

axiom card add =∀(elem x, set s)

(card(add(x,s)) =(mem(x,s) ? card(s) : card(s)+1))

40

axiom card del =∀(elem x, set s)

(card(del(x,s)) =(mem(x,s) ? card(s)−1 : card(s)))

45

37


4 Compositional Reasoning

Continuing with our reference counting example, we modify the system with an auxiliary vari-able, handles, that tracks the set of processes pointing to each resource. This allows us tostate the property count eq card, asserting that the reference count of a resource is equal tothe cardinality of its set of handles. Unfortunately, even with this strengthening we do nothave an inductive invariant. We need two more properties of the system, ptr in handles andhandle is ptr, to establish that the set of handles for a resource is precisely the set of processespointing to the resource. Listing 4 shows the system with all these additions.

This process of incrementally strengthening the invariant can quickly become unmanageableas more and more conjuncts are added. The proof goals become harder for the SMT solver andin case of proof failure, it is harder to diagnose the reason for the failure. Also, it is easy to losetrack of an understanding for why the auxiliary invariants were necessary. Proofs of this kindare more easily carried out compositionally by breaking down the temporal induction step intoseparate proofs for each invariant, where each invariant is derived assuming: (1) some of theother invariants that have been proven for the previous time value, and (2) yet others that havebeen proven to hold now. This leads to potentially invalid circular reasoning. The followingparagraph summarizes a well-known sound compositional reasoning scheme.

Compositional proofs are conveniently represented in graphical form as in Figure 1, withpurported invariants at the nodes, and with some edges marked as latched. For every node φ,let Aφ be the conjunction of all ψ such that there is a latched edge from ψ to φ. Similarly,let Bφ be the conjunction of all ψ such that there is an unlatched edge from ψ to φ. Theset of proof obligations generated by the graph consists of conditions initially φ and triplesAφ ∧ φτBφ ⇒ φ, for every node φ and every transition τ . If the graph contains nocombinational cycles, then this set of initial conditions and triples implies invariance of allnode formulas. This is a special case of McMillan’s result on assume-guarantee reasoning [15].2

To finish with our example, the goals main and aux1−aux4 in Listing 4 correspond to thefive nodes in Figure 1, and are all provable. Notice that all edges coming into any particularnode are of the same type: latched or non-latched. Restricting proof graphs so that all nodesare one of these two “pure” types does not lose generality.3 The “latched” nodes correspond toDVF goals of the form invariant φ assuming Aφ, which creates proof obligations initially φ andAφ ∧φτφ. The “unlatched” nodes correspond to formula (Bφ ⇒ φ), which is stronger thanφτBφ ⇒ φ, but is simpler and suffices in practice.

5 Related Work

As a procedural system description language, DVF is most closely related to Murφ [9] whichis designed for efficient explicit-state model checking. DVF , on the other hand, is an SMT-based deductive verification tool. Like DVF , the system verification tools UCLID [4] andSAL [17] are SMT based. UCLID ’s modeling language is restricted by the decision procedure itrelies on (for a logic that covers counter arithmetic, non-extensional arrays, and uninterpretedfunctions). With SAL we share reliance on full-blown SMT solving, but differ in the presentationof systems: SAL’s (and UCLID ’s) system descriptions are relational, not procedural. While

2McMillan’s technique applies to proving more general temporal formulas, not only invariants.3Proof. If, for some φ, both Aφ and Bφ are non-empty, let φ′ be the formula Bφ ⇒ φ and modify the proof

graph by adding the node φ′ to it with: (1) a latched edge from φ to φ′; (2) an unlatched edge from φ′ to φ;and (3) all latched edges into φ redirected to end in φ′. In the new graph, Aφ and Bφ′ are empty. The proofobligations for φ′ in the new graph are weaker than the proof obligations for φ in the old graph, and φ followsby modus ponens from its predecessors in the new graph.

38


Listing 4 Reference Counting with a Compositional Proof

type resourcetype processconst resource nullmodule R = Set<type resource>

5 module S = Set<type process>

var R.set valid = R.emptyvar array(resource, int) countvar array(process, resource) ptr =

10 mk array[process](null)var array(resource, S.set) handles

transition alloc(resource r)require (r 6=null)

15 require (¬R.mem(r,valid))valid := R.add(r,valid);count[r] := 0;handles[r] := S.empty;

20

transition ref(process p, resource r)require (R.mem(r,valid))require (ptr[p] = null)ptr[p] := r;

25 count[r] := count[r] + 1;handles[r] := S.add(p, handles[r]);

transition deref(process p)30 require (ptr[p] 6=null)var resource r = ptr[p];ptr[p] := null;count[r] := count[r] − 1;handles[r] := S.del(p, handles[r]);

35

transition free(resource r)require (R.mem(r,valid))require (count[r] = 0)

40 valid := R.del(r, valid);

def bool prop =∀(process p)

(ptr[p]6=null⇒R.mem(ptr[p],valid))45

def bool refs non zero =∀(process p)

(ptr[p]6=null⇒count[ptr[p]] > 0)

50 def bool count eq card =∀(resource r)

(r 6=null ∧R.mem(r,valid)⇒count[r] = S.card(handles[r]))

55 def bool ptr in handles =∀(process p)

(ptr[p]6=null⇒S.mem(p, handles[ptr[p]]))

60 def bool handle is ptr =∀(process p, resource r)

(r 6=null ∧R.mem(r,valid)∧S.mem(p, handles[r])⇒ptr[p] = r)

65

goal main = invariant propassuming refs non zero

goal aux1 = formula (count eq card70 ∧prop

∧ptr in handles⇒refs non zero)

goal aux2 = invariant count eq card75 assuming ptr in handles,

handle is ptr

goal aux3 = invariant ptr in handlesassuming prop

80

goal aux4 = invariant handle is ptr

39


prop

refs non zero

count eq card

ptr in handles

handle is ptr

Figure 1: Proof Graph for Reference Counting Example

SAL has features (notably, system composition) currently not available in DVF , it does nothave the expressivity achieved in DVF by axiomatizations and parametrized templates.

DVF uses Hoare-style verification techniques much like existing tools for program verifica-tion; for example, [1, 6, 13, 18]. However, these tools are not well suited for high-level modelingbecause of the limitations of their source languages. A better comparison is with the interme-diate languages used by these tools. Boogie [14] and Why [11] have additional constructs (aricher set of types, polymorphism, the ability to add axioms) that make modeling easier, butthey do not provide the support necessary for specification of systems and system properties.In fact, our work on DVF was motivated by the promise evident from our early experimentswith Why , and was directed to overcome the limitations we faced. We found the threadingof system invariants via contracts to be a major burden. We also found that the translationsintroduced to encode types from the polymorphic source language into terms in the multisortedlanguage of SMT solvers made it harder to discharge the proofs. While there has been work[7, 14] on improving translations for subsequent proving efficiency, the parametricity enabledby DVF templates is a semantically cleaner solution. DVF is less expressive; for example, someaspects of memory encoding in Boogie would be difficult to mimic in DVF . In our experiencethis trade-off has been justified—we have found templates to work well for our system mod-eling tasks. Finally, we note that DVF templates are similar to parametrized theories in theinteractive prover PVS [19].

6 Conclusion

We have presented DVF , a language and tool for the modeling and verification of transitionsystems. It is particularly suitable for systems that involve complex parametrized data types(like sets, multisets, sequences, queues, partial orders). Such types are represented axiomaticallyby means of a template construction, which allows all logical manipulations in DVF —fromprogram annotation to the generation of verification conditions for SMT solvers—to cleanlystay within the multisorted first-order logic.

The niche of DVF is systems beyond the capacity of model checkers and not readily admit-ting model-checkable finite-state abstractions as in, say, [16, 5]. Its primary application so farhas been to verify new and complex architectural features in hardware systems where Hoare-style reasoning has scaled well, requiring only seconds for verification tasks that generated up toa few hundred proof obligations. The human effort required to provide auxiliary proof artifactshas not been overwhelming. In fact, the auxiliary invariants have helped our and the designers’understanding, providing valuable documentation as well as checks for implementations.

Ignoring the logical matter, a DVF system description looks like an ordinary program with

40


an interface defined by several named procedures (transitions). This syntactic closeness to com-mon programming languages is a significant convenience in the industrial environment, wheremodel development is done in collaboration with designers unfamiliar with formal languages.

For future work, the diagnosis of proof failures is a priority; proof failures have been largelydue to unprovable goals (rather than solvers’ capacity limits), so we need meaningful counter-model production for our SMT queries. At the language level, we will need to add somemodularity mechanism for modeling larger and more complex systems. Human-assisted skeletalproof construction (Section 4) can use additional proof rules and “tactics” borrowed frominteractive provers. Finally, even the least sophisticated model-checking back-end would helpwith early debugging of system models.

References

[1] M. Barnett, R. DeLine, M. Fahndrich, B. Jacobs, K. R. M. Leino, W. Schulte, and H. Venter. TheSpec# programming system: Challenges and directions. In VSTTE, pages 144–152, 2005.

[2] C. Barrett, A. Stump, and C. Tinelli. The SMT-LIB Standard: Version 2.0. In A. Gupta andD. Kroening, editors, SMT, 2010.

[3] C. Barrett and C. Tinelli. CVC3. In CAV, pages 298–302, 2007.

[4] R. E. Bryant, S. K. Lahiri, and S. A. Seshia. Modeling and verifying systems using a logic ofcounter arithmetic with lambda expressions and uninterpreted functions. In CAV, pages 78–92,2002.

[5] C.-T. Chou, P. K. Mannava, and S. Park. A simple method for parameterized verification of cachecoherence protocols. In FMCAD, pages 382–398, 2004.

[6] E. Cohen, M. Dahlweid, M. A. Hillebrand, D. Leinenbach, M. Moskal, T. Santen, W. Schulte, andS. Tobies. VCC: A practical system for verifying concurrent c. In TPHOLs, pages 23–42, 2009.

[7] J.-F. Couchot and S. Lescuyer. Handling polymorphism in automated deduction. In CADE, pages263–278, 2007.

[8] L. M. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, pages 337–340, 2008.

[9] D. L. Dill, A. J. Drexler, A. J. Hu, and C. H. Yang. Protocol verification as a hardware designaid. In ICCD, pages 522–525, 1992.

[10] B. Dutertre and L. D. Moura. The Yices SMT solver. Technical report, SRI, 2006.

[11] J.-C. Filliatre and C. Marche. The Why/Krakatoa/Caduceus platform for deductive programverification. In CAV, pages 173–177, 2007.

[12] L. Lamport. Specifying Systems, The TLA+ Language and Tools for Hardware and SoftwareEngineers. Addison-Wesley, 2002.

[13] K. R. M. Leino. Dafny: An automatic program verifier for functional correctness. In LPAR(Dakar), pages 348–370, 2010.

[14] K. R. M. Leino and P. Rummer. A polymorphic intermediate verification language: Design andlogical encoding. In TACAS, pages 312–327, 2010.

[15] K. L. McMillan. Circular compositional reasoning about liveness. In CHARME, pages 342–345,1999.

[16] K. L. McMillan. Verification of infinite state systems by compositional model checking. InCHARME, pages 219–234, 1999.

[17] L. D. Moura, S. Owre, and N. Shankar. The SAL language manual. Technical report, SRI, 2003.

[18] Y. Moy and C. Marche. Jessie Plugin, Boron version. INRIA, 2010. http://frama-c.com/

jessie/jessie-tutorial.pdf.

[19] S. Owre, J. M. Rushby, and N. Shankar. PVS: A Prototype Verification System. In CADE, pages748–752, 1992.

41

http://frama-c.com/jessie/jessie-tutorial.pdf

http://frama-c.com/jessie/jessie-tutorial.pdf


A Verification of the German Protocol

Listing 5 shows a DVF translation of the German cache coherence protocol from its Murφpresentation in [5]. We have added an auxiliary variable, exnode, to store the node, if any, thathas exclusive access. Figure 2 shows the proof graph for the control property using the followingauxiliary invariants:

def bool p1 = ∀(node n) (exgntd⇒shrset[n] = (n = exnode))

def bool p2 = ∀(node n) (chan2[n].m cmd = gnte ∨cache[n].c state=exclusive⇒exgntd)

def bool p3 =∀(node n)

(¬shrset[n]⇒cache[n].c state = invalid ∧chan2[n].m cmd = empty ∧chan3[n].m cmd = empty)

def bool p4 = ∀(node n) (invset[n]⇒shrset[n])


(chan3[n].m cmd = invack⇒chan2[n].m cmd = empty ∧cache[n].c state = invalid)


(chan2[n].m cmd = inv ∨chan3[n].m cmd = invack⇒¬invset[n] ∧shrset[n])


(chan2[n].m cmd = inv ∨chan3[n].m cmd = invack⇒(curcmd = reqs ∧exgntd) ∨curcmd = reqe)

p7

p6

p5

p4 p3

p2 p1

coherence thm

Figure 2: Proof Graph for the German Protocol

42


Listing 5 German Cache Coherence Protocol

// Types2 type node

type datatype cache state = enum invalid, shared, exclusivetype cache = struct c state: cache state; c data: datatype msg cmd = enum empty,reqs,reqe,inv,invack,gnts,gnte

7 type msg = struct m cmd: msg cmd; m data: datatype chan = array(node, msg)type caches = array(node, cache)type nodes = array(node, bool)

12 // Constants for initializationconst data dummyconst msg imsg = m cmd = empty; m data = dummyconst cache icache = c state = invalid; c data = dummy

17 // State variablesvar caches cache = mk array[node](icache)var chan chan1 = mk array[node](imsg)var chan chan2 = mk array[node](imsg)var chan chan3 = mk array[node](imsg)

22 var nodes invset = mk array[node](false)var nodes shrset = mk array[node](false)var bool exgntd = falsevar node exnodevar msg cmd curcmd = empty

27 var node curptrvar data memdata

// Actionstransition send req shared (node i)

32 require (chan1[i].m cmd = empty)require (cache[i].c state = invalid)chan1[i].m cmd := reqs;

transition send req exclusive(node i)37 require (chan1[i].m cmd = empty)

require (cache[i].c state 6=exclusive)chan1[i].m cmd := reqe;

transition recv req shared (node i)42 require (curcmd = empty)

require (chan1[i].m cmd = reqs)curcmd := reqs; curptr := i;chan1[i].m cmd := empty;invset := shrset;

47

transition recv req exclusive (node i)require (curcmd = empty)require (chan1[i].m cmd = reqe)curcmd := reqe; invset := shrset;

52 curptr := i; chan1[i].m cmd := empty;

transition send inv (node i)require (chan2[i].m cmd = empty)require (invset[i])

57 require (curcmd=reqe ∨curcmd=reqs ∧exgntd)chan2[i].m cmd:= inv; invset[i]:= false;

transition send invack (node i)require (chan2[i].m cmd = inv)

62 require (chan3[i].m cmd = empty)chan2[i].m cmd := empty;chan3[i].m cmd := invack;if (cache[i].c state = exclusive)

chan3[i].m data := cache[i].c data;67 cache[i].c state := invalid;

transition recv invack (node i)require (chan3[i].m cmd = invack)

72 require (curcmd 6=empty)chan3[i].m cmd := empty;shrset[i] := false;if (exgntd)

exgntd := false;77 memdata := chan3[i].m data;

transition send gnt shared ()require (curcmd = reqs)

82 require (¬exgntd)require (chan2[curptr].m cmd = empty)chan2[curptr].m cmd := gnts;chan2[curptr].m data := memdata;shrset[curptr] := true; curcmd := empty;

87

transition send gnt exclusive ()require (curcmd = reqe)require (¬exgntd)require (chan2[curptr].m cmd = empty)

92 require (∀ (node j) (¬shrset[j]))chan2[curptr].m cmd := gnte;chan2[curptr].m data := memdata;shrset[curptr] := true; curcmd := empty;exgntd := true; exnode := curptr;

97

transition recv gnt shared (node i)require (chan2[i].m cmd = gnts)cache[i].c state := shared;cache[i].c data := chan2[i].m data;

102 chan2[i].m cmd := empty;

transition recv gnt exclusive (node i)require (chan2[i].m cmd = gnte)cache[i].c state := exclusive;

107 cache[i].c data := chan2[i].m data;chan2[i].m cmd := empty;

transition store data (node i, data d)require (cache[i].c state = exclusive)

112 cache[i].c data := d;

def bool coherence thm =∀(node i, node j)

(i6=j ∧cache[i].c state = exclusive117 ⇒cache[j].c state = invalid)

43

On the Complexity of

Fixed-Size Bit-Vector Logics

with Binary Encoded Bit-WidthGergely Kovasznai, Andreas Frohlich, Armin Biere

Institute for Formal Models and VerificationJohannes Kepler University, Linz, Austria∗

Abstract

Bit-precise reasoning is important for many practical applications of Satisfiability Mod-ulo Theories (SMT). In recent years efficient approaches for solving fixed-size bit-vectorformulas have been developed. From the theoretical point of view, only few results on thecomplexity of fixed-size bit-vector logics have been published. In this paper we show thatsome of these results only hold if unary encoding on the bit-width of bit-vectors is used.We then consider fixed-size bit-vector logics with binary encoded bit-width and establishnew complexity results. Our proofs show that binary encoding adds more expressiveness tobit-vector logics, e.g. it makes fixed-size bit-vector logic even without uninterpreted func-tions nor quantification NExpTime-complete. We also show that under certain restrictionsthe increase of complexity when using binary encoding can be avoided.

1 Introduction

Bit-precise reasoning over bit-vector logics is important for many practical applications of Sat-isfiability Modulo Theories (SMT), particularly for hardware and software verification. Syntaxand semantics of fixed-size bit-vector logics do not differ much in the literature [9, 3, 4, 11, 6].Concrete formats for specifying bit-vector problems also exist, like the SMT-LIB format orthe BTOR format [5]. Working with non-fixed-size bit-vectors has been considered for instancein [4, 1] and more recently in [20], but will not be further discussed in this paper. Most industrialapplications (and examples in the SMT-LIB) have fixed bit-width.

We investigate the complexity of solving fixed-size bit-vector formulas. Some papers proposesuch complexity results, e.g. in [3] the authors consider quantifier-free bit-vector logic, and givean argument for NP-hardness of its satisfiability problem. In [6], a sublogic of the previous oneis claimed to be NP-complete. In [23, 22], the quantified case is addressed, and the satisfiabilityof this logic with uninterpreted functions is proven to be NExpTime-complete. The proof holdsonly if we assume that the bit-widths of the bit-vectors in the input formula are written/encodedin unary form. We are not aware of any work that investigates how the particular encoding ofthe bit-widths in the input affects complexity (as an exception, see [8, Page 239, Footnote 3]).In practice a more natural and exponentially more succinct logarithmic encoding is used, suchas in the SMT-LIB, the BTOR, and the Z3 format. We investigate how complexity varies if weconsider either a unary or a logarithmic (actually without loss of generality) binary encoding.

In practice state-of-the-art bit-vector solvers rely on rewriting and bit-blasting. The latteris defined as the process of translating a bit-vector resp. word-level description into a bit-levelcircuit, as in hardware synthesis. The result can then be checked by a (propositional) SATsolver. We give an example, why in general bit-blasting is not polynomial. Consider checkingcommutativity of bit-vector addition for two bit-vectors of size one million. Written to a filethis formula in SMT2 syntax can be encoded with 138 bytes:

∗This work is partially supported by FWF, NFN Grant S11408-N23 (RiSE).


Complexity of Bit-Vector Logics with Binary Encoded Bit-Width Kovasznai, Frohlich, and Biere

(set-logic QF_BV)

(declare-fun x () (_ BitVec 1000000))

(declare-fun y () (_ BitVec 1000000))

(assert (distinct (bvadd x y) (bvadd y x)))

Using Boolector [5] with rewriting optimizations switched off (except for structural hashing),bit-blasting produces a circuit of size 103 MB in AIGER format. Tseitin transformation resultsin a CNF in DIMACS format of size 1 GB. A bit-width of 10 million can be represented by twomore bytes in the SMT2 input, but could not bit-blasted anymore with our tool-flow (due tointeger overflow). As this example shows, checking bit-vector logics through bit-blasting can notbe considered to be a polynomial reduction, which also disqualifies bit-blasting as a sound wayto prove that the decision problem for (quantifier-free) bit-vector logics is in NP. We show thatdeciding bit-vector logics, even without quantifiers, is much harder: it is NExpTime-complete.

Informally speaking, we show that moving from unary to binary encoding for bit-widthsincreases complexity exponentially and that binary encoding has at least as much expressivepower as quantification. However we give a sufficient condition for bit-vector problems toremain in the “lower” complexity class, when moving from unary to binary encoding. We callthem bit-width bounded problems. For such problems it does not matter, whether bit-width isencoded unary or binary. We also discuss some concrete examples from SMT-LIB.

2 Preliminaries

We assume the common syntax for (fixed-size) bit-vector formulas, c.f. SMT-LIB and [9, 3,4, 11, 6, 5]. Every bit-vector possesses a bit-width n, either explicit or implicit, where n is anatural number, n ≥ 1. We denote a bit-vector constant with c[n], where c is a natural number,0 ≤ c < 2n. A variable is denoted with x[n], where x is an identifier. Let us note that noexplicit bit-width belongs to bit-vector operators, and, therefore, the bit-width of a compoundterm is implicit, i.e., can be calculated. Let t[n] denote the fact that the bit-vector term t is ofbit-width n. We even omit an explicit bit-width if it can be deduced from the context.

In our proofs we use the following bit-vector operators: indexing (t[n][i], 0 ≤ i < n), bit-

wise negation (∼ t[n]), bitwise and (t[n]1 & t

[n]2 ), bitwise or (t

[n]1 | t[n]2 ), shift left (t

[n]1 t

[n]2 ),

logical shift right (t[n]1 t

[n]2 ), addition (t

[n]1 + t

[n]2 ), multiplication (t

[n]1 · t

[n]2 ), unsigned divi-

sion (t[n]1 / t

[n]2 ), and equality (t

[n]1 = t

[n]2 ). Including other common operations (e.g., slicing,

concatenation, extensions, arithmetic right shift, signed arithmetic and relational operators,rotations etc.) does not destroy the validity of our subsequent propositions, since they all canbe bit-blasted polynomially in the bit-width of their operands. Uninterpreted functions willalso be considered. They have an explicit bit-width for the result type. The application of such

a function is written as f [n](t1, . . . , tm), where f is an identifier, and t[n1]1 , . . . , t

[nm]m are terms.

Let QF BV1 resp. QF BV2 denote the logics of quantifier-free bit-vectors with unaryresp. binary encoded bit-width (without uninterpreted functions). As mentioned before, weprove that the complexity of deciding QF BV2 is exponentially higher than deciding QF BV1.This fact is, of course, due to the more succinct encoding. The logics we get by adding uninter-preted functions to these logics are denoted by QF UFBV1 resp. QF UFBV2. Uninterpretedfunctions are powerful tools for abstraction, e.g., they can formalize reads on arrays. Whenquantification is introduced, we get the logics BV1 resp. BV2 when uninterpreted functionsare prohibited. When they are allowed, we get UFBV1 resp. UFBV2. These latter logics areexpressive enough, for instance, to formalize reads and writes on arrays with quantified indices.1

1Let us emphasize again that among all these logics the ones with binary encoding correspond to the logics

45


3 Complexity

In this section we discuss the complexity of deciding the bit-vector logics defined so far. Wefirst summarize our results, and then give more detailed proofs for the new non-trivial ones.The results are also summarized in a tabular form in Appendix A.

First, consider unary encoding of bit-widths. Without uninterpreted functions nor quantifi-cation, i.e., for QF BV1, the following complexity result can be proposed (for partial resultsand related work see also [3] and [6]):

Proposition 1. QF BV1 is NP-complete2

Proof. By bit-blasting, QF BV1 can be polynomially reduced to Boolean formulas, for whichthe satisfiability problem (SAT) is NP-complete. The other direction follows from the fact thatBoolean formulas are actually QF BV1 formulas whose all terms are of bit-width 1.

Adding uninterpreted functions to QF BV1 does not increase complexity:

Proposition 2. QF UFBV1 is NP-complete.

Proof. In a formula, uninterpreted functions can be eliminated by replacing each occurrencewith a new bit-vector variable and adding (at most quadratic many) Ackermann constraints,e.g. [16, Chapter 3.3.1]. Therefore, QF UFBV1 can be polynomially translated to QF BV1.The other direction directly follows from the fact that QF BV1 ⊂ QF UFBV1.

Adding quantifiers to QF BV1 yields the following complexity (see also [8]):

Proposition 3. BV1 is PSpace-complete.

Proof. By bit-blasting, BV1 can be polynomially reduced to Quantified Boolean Formulas(QBF), which is PSpace-complete. The other direction directly follows from the fact thatQBF ⊂ BV1 (following the same argument as in Prop. 1).

Adding quantifiers to QF UFBV1 increases complexity exponentially:

Proposition 4 (see [22]). UFBV1 is NExpTime-complete.

Proof. Effectively Propositional Logic (EPR), being NExpTime-complete, can be polynomiallyreduced to UFBV1 [22, Theorem 7]. For completing the other direction, apply the reductionin [22, Theorem 7] combined with the bit-blasting of the bit-vector operations.

Our main contribution is to give complexity results for the more common logarithmic (ac-tually without loss of generality) binary encoding. Even without uninterpreted functions norquantification, i.e., for QF BV2, we obtain the same complexity as for UFBV1.

Proposition 5. QF BV2 is NExpTime-complete.

Proof. It is obvious that QF BV2 ∈ NExpTime, since a QF BV2 formula can be translatedexponentially to QF BV1 ∈ NP (Prop. 1), by a simple unary re-encoding of all bit-widths.The proof that QF BV2 is NExpTime-hard is more complex and given in Sect. 3.1.

Adding uninterpreted functions to QF BV2 does not increase complexity, again using Ack-ermann constraints, as in the proof for Prop. 2:

QF BV, QF UFBV, BV, and UFBV used by the SMT community, e.g., in SMT-LIB.2This kind of result is often called unary NP-completeness [14].

46


Proposition 6. QF UFBV2 is NExpTime-complete.

However, adding quantifiers to QF UFBV2 increases complexity exponentially:

Proposition 7. UFBV2 is 2-NExpTime-complete.

Proof. Similarly to the proof of Prop. 5, a UFBV2 formula can be exponentially translated toUFBV1 ∈ NExpTime (Prop. 4), simply by re-encoding all the bit-widths to unary. It is moredifficult to prove that UFBV2 is 2-NExpTime-hard, which we show in Sect. 3.2.

Notice that deciding QF BV2 has the same complexity as UFBV1. Thus, starting withQF BV1, re-encoding bit-widths to binary gives the same expressive power, in a precise com-plexity theoretical sense, as introducing uninterpreted functions and quantification all together.Thus it is important to differentiate between unary and binary encoding of bit-widths in bit-vector logics. Our results show that binary encoding is at least as expressive as quantification,while only the latter has been considered in [23, 22].

3.1 QF BV2 is NExpTime-hard

In order to prove that QF BV2 is NExpTime-hard, we pick a NExpTime-hard problemand, then, we reduce it to QF BV2. Let us choose the satisfiability problem of DependencyQuantified Boolean Formulas (DQBF), which has been shown to be NExpTime-complete [2].

In DQBF, quantifiers are not forced to be totally ordered. Instead a partial order is ex-plicitly expressed in the form e(u1, . . . , um), stating that an existential variable e depends onthe universal variables u1, . . . , um, where m ≥ 0. Given an existential variable e, we will useDeps(e) to denote the set of universal variables that e depends on. A more formal definitioncan be found in [2]. Without loss of generality, we can assume that a DQBF formula is inclause normal form.

In the proof, we are going to apply bitmasks of the form

2n︷︸︸︷0 . . . 0︸︷︷︸

2i

1 . . . 1︸︷︷︸2i

. . . 0 . . . 0︸︷︷︸2i

1 . . . 1︸︷︷︸2i

Given n ≥ 1 and i, with 0 ≤ i < n, we denote such a bitmask with Mni . Notice that these

bitmasks correspond to the binary magic numbers [12] (see also Chpt. 7 of [21]), and, can thusarithmetically be calculated in the following way (actually as sum of a geometric series):

Mni :=

2(2n) − 1

2(2i) + 1

In order to reformulate this definition in terms of bit-vectors, the numerator can be written as∼0[2

n], and 2(2i) as 1 (1 i), which results in the following bit-vector expression:

Mni := ∼0[2

n] /((1 (1 i)) + 1

)(1)

Theorem 8. DQBF can be (polynomially) reduced to QF BV2.

Proof. The basic idea is to use bit-vector logic to encode function tables in an exponentiallymore succinct way, which then allows to characterize independence of an existential variablefrom a particular universal variable polynomially.

47


More precisely, we will use binary magic numbers, as constructed in Eqn. (1), to create acertain set of fully-specified exponential-size bit-vectors by using a polynomial expression, dueto binary encoding. We will then formally point out the well-known fact that those bit-vectorscorrespond exactly to the set of all assignments. We can then use a polynomial-size bit-vectorformula for cofactoring Skolem-functions in order to express independency constraints.

First, we describe the reduction (c.f. an example in Appendix B), then show that thereduction is polynomial, and, finally, that it is correct.

The reduction. Given a DQBF formula φ := Q.m consisting of a quantifier prefix Q anda Boolean CNF formula m called the matrix of φ. Let u0, . . . , uk−1 denote all the universalvariables that occur in φ. Translate φ to a QF BV2 formula Φ by eliminating the quantifierprefix and translating the matrix as follows:

Step 1. Replace Boolean constants 0 and 1 with 0[2k] resp. ∼0[2k] and logical connectives withcorresponding bitwise bit-vector operators (∨, ∧, ¬ with |, & , ∼ , resp.).

Let Φ′ denote the formula generated so far. Extend it to the formula(

Φ′ = ∼0[2k])

.

Step 2. For each ui,

1. translate (all the occurrences of) ui to a new bit-vector variable U[2k]i ;

2. in order to assign the appropriate bitmask of Eqn. (1) to Ui, add the followingequation (i.e., conjunct it with the current formula):

Ui = Mki (2)

For an optimization see Remark 9 further down.

Step 3. For each existential variable e depending on universals Deps(e) ⊆ u0, . . . , uk−1,

1. translate (all the occurrences of) e to a new bit-vector variable E[2k];

2. for each ui /∈ Deps(e), add the following equation:

(E & Ui) =((E (1 i)

)& Ui

)(3)

As it is going to be detailed in the rest of the proof, the above equations enforce the

corresponding bits of E[2k] to satisfy the dependency scheme of φ. More precisely, Eqn. (3)makes sure that the positive and negative cofactors of the Skolem-function representinge with respect to an independent variable ui have the same value.

Polynomiality. Let us recall that all the bit-widths are encoded binary in the formula Φ,and thus exponential bit-widths (2k) are encoded into linear many (k) bits. We show now thateach reduction step results in polynomial growth of the formula size.

Step 1 may introduce additional bit-vector constants to the formula. Their bit-width is2k, therefore, the resulting formula is bounded quadratically in the input size. Step 2 adds k

variables U[2k]i for the original universal variables, as well as k equations as restrictions. The

bit-widths of added variables and constants is 2k. Thus the size of the added constraints isbounded quadratically in the input size. Step 3 adds one bit-vector variable E[2k] and at mostk constraints for each existential variable. Thus the size is bounded cubically in the input size.

48


Correctness. We show the original φ and the result Φ of the translation to be equisatisfiable.Consider one bit-vector variable Ui introduced in Step 2. In the following, we formalize thewell-known fact that all the Uis correspond exactly to all assignments. By construction, all bitsof Ui are fixed to some constant value. Additionally, for every bit-vector index bm ∈ [0, 2k − 1]there exists a bit-vector index bn ∈ [0, 2k − 1] such that

Ui[bm] 6= Ui[bn] and (4a)

Uj [bm] = Uj [bn], ∀j 6= i. (4b)

Actually, let us define bn in the following way (considering the 0th bit the least significant):

bn :=

bm − 2i if Ui[bm] = 0bm + 2i if Ui[bm] = 1

By defining bn this way, Eqn. (4a) and (4b) both hold, which can be seen as follows. LetR(c, l) be the bit-vector of length l with each bit set to the Boolean constant c. Eqn. (4a) holds,since, due to construction, Ui consists of several (2k−1−i) concatenated bit-vector fragments0 . . . 01 . . . 1 = R(0, 2i)R(1, 2i) (with both 2i zeros and 2i ones). Therefore it is easy to see thatUi[bm] 6= Ui[bm − 2i] (resp. Ui[bm] 6= Ui[bm + 2i]) holds if Ui[bm] = 0 (resp. Ui[bm] = 1). Witha similar argument, we can show that Eqn. (4b) holds: Uj [bm] = Uj [bm − 2i] (resp. Uj [bm] =Uj [bm + 2i]) if Uj [bm] = 0 (resp. Uj [bm] = 1), since bm− 2i (resp. bm + 2i) is located either stillin the same half or already in a concatenated copy of a R(0, 2j)R(1, 2j) fragment, if j 6= i.

Now consider all possible assignments to the universal variables of our original DQBF-formula φ. For a given assignment α ∈ 0, 1k, the existence of such a previously defined bn forevery Ui and bm allows us to iteratively find a bα such that (U0[bα], . . . , Uk−1[bα]) = α. Thus,we have a bijective mapping of every universal assignment α in φ to a bit-vector index bα in Φ.

In Step 3 we first replace each existential variable e with a new bit-vector variable E, which

can take 2(2k) different values. The value of each individual bit E[bα] corresponds to the value

e takes under a given assignment α ∈ 0, 1k to the universal variables. Note that withoutany further restriction, there is no connection between the different bits in E and thereforethe vector represents an arbitrary Skolem-function for an existential variable e. It may havedifferent values for all universal assignments and thus would allow e to depend on all universals.

If, however, e does not depend on a universal variable ui, we add the constraint of Eqn. (3).In DQBF, independence can be formalized in the following way: e does not depend on ui if ehas to take the same value in the case of all pairs of universal assignments α, β ∈ 0, 1k whereα[j] = β[j] for all j 6= i. Exactly this is enforced by our constraint. We have already shown thatfor α we have a corresponding bit-vector index bα, and we have defined how we can constructa bit-vector index bβ for β. Our constraint for independence ensures that E[bα] = E[bβ ].

Step 1 ensures that all logical connectives and all Boolean constants are consistent for eachbit-vector index, i.e. for each universal assignment, and that the matrix of φ evaluates to 1 foreach universal assignment.

Remark 9. Using Eqn. (1) in Eqn. (2) seems to require the use of division, which, however,can easily be eliminated by rewriting Eqn. (2) to(

Ui ·((1 (1 i)) + 1

))= ∼0[2k]

Multiplication in this equation can then be eliminated by rewriting it as follows:((Ui (1 i)) + Ui

)= ∼0[2k]

49


3.2 UFBV2 is 2-NExpTime-hard

In order to prove that UFBV2 is 2-NExpTime-hard, we pick a 2-NExpTime-hard problem andthen, we reduce it to UFBV2. We can find such a problem among the so-called domino tilingproblems [7]. Let us first define what a domino system is, and then we specify a 2-NExpTime-hard problem on such systems.

Definition 10 (Domino System). A domino system is a tuple 〈T,H, V, n〉, where

• T is a finite set of tile types, in our case, T = [0, k − 1], where k ≥ 1;

• H,V ⊆ T × T are the horizontal and vertical matching conditions, respectively;

• n ≥ 1, encoded unary.

Let us note that the above definition differs (but not substantially) from the classical onein [7], in the sense that we use sub-sequential natural numbers for identifying tiles, as it iscommon in recent papers. Similarly to [17] and [18], the size factor n, encoded unary, is partof the input. However while a start tile α and a terminal tile ω is used usually, in our case thestarting tile is denoted by 0 and the terminal tile by k − 1, without loss of generality.

There are different domino tiling problems examined in the literature. In [7] a classical tilingproblems is introduced, namely the square tiling problem, which can be defined as follows.

Definition 11 (Square Tiling). Given a domino system 〈T,H, V, n〉, an f(n)-square tiling is amapping λ : [0, f(n)− 1]× [0, f(n)− 1] 7→ T such that

• the first row starts with the start tile: λ(0, 0) = 0

• the last row ends with the terminal tile: λ(f(n)− 1, f(n)− 1) = k − 1

• all horizontal matching conditions hold:(λ(i, j), λ(i, j + 1)

)∈ H ∀i < f(n), j < f(n)− 1

• all vertical matching conditions hold:(λ(i, j), λ(i+ 1, j)

)∈ V ∀i < f(n)− 1, j < f(n)

In [7], a general theorem on the complexity of domino tiling problems is proved:

Theorem 12 (from [7]). The f(n)-square tiling problem is NTime (f(n))-complete.

Since for completing our proof on UFBV2 we need a 2-NExpTime-hard problem, let usemphasize the following easy corollary:

Corollary 13. The 2(2n)-square tiling problem is 2-NExpTime-complete.

Theorem 14. The 2(2n)-square tiling problem can be (polynomially) reduced to UFBV2.

Proof. Given a domino system 〈T = [0, k− 1], H, V, n〉, let us introduce the following notationswhich we intend to use in the resulting UFBV2 formula.

• Represent each tile in T with the corresponding bit-vector of bit-width l := dlog ke.

• Represent the horizontal and vertical matching conditions with the uninterpreted func-

tions (predicates) h[1](t[l]1 , t

[l]2 ) and v[1](t

[l]1 , t

[l]2 ), respectively.

• Represent the tiling with an uninterpreted function λ[l](i[2n], j[2

n]). As it is obvious, λrepresents the type of the tile in the cell at the row index i and column index j. Noticethat the bit-width of i and j is exponential in the size of the domino system, but due tobinary encoding it can represented polynomially.

50


The resulting UFBV2 formula is the following:

λ(0, 0) = 0 ∧ λ(

2(2n) − 1, 2(2

n) − 1)

= k − 1 ∧∧

(t1,t2)∈H

h(t1, t2) ∧∧

(t1,t2)∈V

v(t1, t2)

∧ ∀i, j

(j < 2(2

n) − 1 ⇒ h(λ(i, j), λ(i, j + 1)

) )∧(

i < 2(2n) − 1 ⇒ v

(λ(i, j), λ(i+ 1, j)

) )

This formula contains four kinds of constants. Three can be encoded directly (0[2n], 0[l], and

(k− 1)[l]). However, the constant 2(2n)− 1 has to be treated in a special way, in order to avoid

double exponential size, namely in the following form: ∼0[2n]. The size of the resulting formula,

due to binary encoding of the bit-width, is polynomial in the size of the domino system.

4 Problems Bounded in Bit-Width

We are going to introduce a sufficient condition for bit-vector problems to remain in the “lower”complexity class, when re-encoding bit-width from unary to binary. This condition tries tocapture the bounded nature of bit-width in certain bit-vector problems.

In any bit-vector formula, there has to be at least one term with explicit specification of itsbit-width. In the logics we are dealing with, only a variable, a constant, or an uninterpretedfunction can have explicit bit-width. Given a formula φ, let us denote the maximal explicitbit-width in φ with maxbw (φ). Furthermore, let sizebw (φ) denote the number of terms withexplicit bit-width in φ.

Definition 15 (Bit-Width Bounded Formula Set). An infinite set S of bit-vector formulas is(polynomially) bit-width bounded, if there exists a polynomial function p : N 7→ N such that∀φ ∈ S. maxbw (φ) ≤ p(sizebw (φ)).

Proposition 16. Given a bit-width bounded set S of formulas with binary encoded bit-width,any φ ∈ S grows polynomially when re-encoding the bit-widths to unary.

Proof. Let φ′ denote the formula obtained through re-encoding bit-widths in φ to unary. Forthe size of φ′ the following upper bound can be shown: |φ′| ≤ sizebw (φ) ·maxbw (φ) + c. Noticethat sizebw (φ) ·maxbw (φ) is an upper bound on the sum over the sizes of all the terms withexplicit bit-width in φ′. The constant c represents the size of the rest of the formula. Since S isbit-width bounded, it holds that

|φ′| ≤ sizebw (φ) ·maxbw (φ) + c ≤ sizebw (φ) · p(sizebw (φ)) + c ≤ |φ| · p(|φ|) + c

where p is a polynomial function. Therefore, the size of φ′ is polynomial in the size of φ.

By applying this proposition to the logics of Sect. 2 we get:

Corollary 17. Let us assume a bit-width bounded set S of bit-vector formulas. If S ⊆QF UFBV2 (and even if S ⊆ QF BV2), then S ∈ NP. If S ⊆ BV2, then S ∈ PSpace.If S ⊆ UFBV2, then S ∈ NExpTime.

51


4.1 Benchmark Problems

In this section we discuss concrete SMT-LIB benchmark problems, and whether they are bit-width bounded. Since in SMT-LIB bit-widths are encoded logarithmically and quantificationon bit-vectors is not (yet) addressed, we have picked benchmarks from QF BV, which can beconsidered as QF BV2 formulas.

First consider the benchmark family QF BV/brummayerbiere2/umulov2bwb, which representinstances of an unsigned multiplication overflow detection equivalence checking problem, and isparameterized by the bit-width of unsigned multiplicands (b). We show that the set of thesebenchmarks, with b ∈ N, is bit-width bounded, and therefore is in NP. This problem checksthat a certain (unsigned) overflow detection unit, defined in [19], gives the same result as thefollowing condition: if the b/2 most significant bits of the multiplicands are zero, then nooverflow occurs. It requires 2 · (b − 2) variables and a fixed number of constants to formalizethe overflow detection unit, as detailed in [19]. The rest of the formula contains only a fixednumber of variables and constants. The maximal bit-width in the formula is b. Therefore, the(maximal explicit) bit-width is linearly bounded in the number of variables and constants.

The benchmark family QF BV/brummayerbiere3/mulhsb represents instances of computingthe high-order half of product problem, parameterized by the bit-width of unsigned multipli-cands (b). In this problem the high-order b/2 bits of the product are computed, following analgorithm detailed in [21, Page 132]. The maximal bit-width is b and the number of variablesand constants to formalize this problem is fixed, i.e., independent of b. Therefore, the (maximalexplicit) bit-width is not bounded in the number of variables and constants.

The family QF BV/bruttomesso/lfsr/lfsrt b n formalizes the behaviour of a linear feed-back shift register [6]. Since, by construction, the bit-width (b) and the number (n) of registersdo not correlate, and only n variables are used, this benchmark problem is not bit-width bounded.

5 Conclusion

We discussed complexity of deciding various quantified and quantifier-free fixed-size bit-vectorlogics. In contrast to existing literature, where usually it is not distinguished between unaryor binary encoding of the bit-width, we argued that it is important to make this distinction.Our new results apply to the actual much more natural binary encoding as it is also used instandard formats, e.g. in the SMT-LIB format.

We proved that deciding QF BV2 is NExpTime-complete, which is the same complexity asfor deciding UFBV1. This shows that binary encoding for bit-widths has at least as much ex-pressive power as quantification does. We also proved that UFBV2 is 2-NExpTime-complete.The complexity of deciding BV2 remains unclear. While it is easy to show ExpSpace-inclusionfor BV2 by bit-blasting to an exponential-size QBF, and NExpTime-hardness follows directlyfrom QF BV2 ⊂ BV2, it is not clear whether QF BV2 is complete for any of these classes.

We also showed that under certain conditions on bit-width the increase of complexity thatcomes with a binary encoding can be avoided. Finally, we gave examples of benchmark problemsthat do or do not fulfill this condition. As future work it might be interesting to consider ourresults in the context of parametrized complexity [10].

Our theoretical results give an argument for using more powerful solving techniques. Cur-rently the most common approach used in state-of-the-art SMT solvers for bit-vectors is basedon simple rewriting, bit-blasting, and SAT solving. We have shown this can possibly pro-duce exponentially larger formulas when a logarithmic encoding is used as an input. Possiblecandidates are techniques used in EPR and/or (D)QBF solvers (see e.g. [13, 15]).

52


References

[1] Abdelwaheb Ayari, David A. Basin, and Felix Klaedtke. Decision procedures for inductive booleanfunctions based on alternating automata. In CAV, volume 1855 of LNCS. Springer, 2000.

[2] Salman Azhar, Gary Peterson, and John Reif. Lower bounds for multiplayer non-cooperativegames of incomplete information. Computers & Mathematics with Applications, 41:957–992, 2001.

[3] Clark W. Barrett, David L. Dill, and Jeremy R. Levitt. A decision procedure for bit-vectorarithmetic. In Proceedings of the 35th Design Automation Conference, pages 522–527, 1998.

[4] Nikolaj Bjørner and Mark C. Pichora. Deciding fixed and non-fixed size bit-vectors. In TACAS,volume 1384 of LNCS, pages 376–392. Springer, 1998.

[5] Robert Brummayer, Armin Biere, and Florian Lonsing. BTOR: bit-precise modelling of word-levelproblems for model checking. In Proc. 1st International Workshop on Bit-Precise Reasoning, pages33–38, New York, NY, USA, 2008. ACM.

[6] Roberto Bruttomesso and Natasha Sharygina. A scalable decision procedure for fixed-width bit-vectors. In ICCAD, pages 13–20. IEEE, 2009.

[7] Bogdan S. Chlebus. From domino tilings to a new model of computation. In Symposium onComputation Theory, volume 208 of LNCS. Springer, 1984.

[8] Byron Cook, Daniel Kroening, Philipp Rummer, and Christoph M. Wintersteiger. Ranking func-tion synthesis for bit-vector relations. In TACAS, volume 6015 of LNCS. Springer, 2010.

[9] David Cyrluk, Oliver Moller, and Harald Rueß. An efficient decision procedure for a theory offixed-sized bitvectors with composition and extraction. In Computer-Aided Verification (CAV ’97),pages 60–71. Springer, 1997.

[10] Rodney G. Downey and Michael R. Fellows. Parameterized Complexity. Springer, 1999. 530 pp.

[11] Anders Franzen. Efficient Solving of the Satisfiability Modulo Bit-Vectors Problem and SomeExtensions to SMT. PhD thesis, University of Trento, 2010.

[12] Edwin E. Freed. Binary magic numbers – some applications and algorithms. Dr. Dobb’s Journalof Software Tools, 8(4):24–37, 1983.

[13] Andreas Frohlich, Gergely Kovasznai, and Armin Biere. A DPLL algorithm for solving DQBF. InPragmatics of SAT 2012, 2012. to appear.

[14] Michael R. Garey and David S. Johnson. “Strong” NP-completeness results: Motivation, examples,and implications. J. ACM, 25(3):499–508, July 1978.

[15] Konstantin Korovin. iProver — an instantiation-based theorem prover for first-order logic (systemdescription). In Proc. IJCAR’08, IJCAR ’08. Springer, 2008.

[16] Daniel Kroening and Ofer Strichman. Decision Procedures: An Algorithmic Point of View. Textsin Theoretical Computer Science. Springer, 2008.

[17] Maarten Marx. Complexity of modal logic. In Handbook of Modal Logic, volume 3 of Studies inLogic and Practical Reasoning, pages 139–179. Elsevier, 2007.

[18] Matthias Niewerth and Thomas Schwentick. Two-variable logic and key constraints on data words.In ICDT, pages 138–149, 2011.

[19] Michael J. Schulte, Mustafa Gok, Pablo I. Balzola, and Robert W. Brocato. Combined unsignedand two’s complement saturating multipliers. In Proceedings of SPIE : Advanced Signal ProcessingAlgorithms, Architectures, and Implementations, pages 185–196, July 2000.

[20] Andrej Spielmann and Viktor Kuncak. On synthesis for unbounded bit-vector arithmetic. Tech-nical report, EPFL, Lausanne, Switzerland, February 2012.

[21] Henry S. Warren. Hacker’s Delight. Addison-Wesley Longman, 2002.

[22] Christoph M. Wintersteiger. Termination Analysis for Bit-Vector Programs. PhD thesis, ETHZurich, Switzerland, 2011.

[23] Christoph M. Wintersteiger, Youssef Hamadi, and Leonardo Mendonca de Moura. Efficientlysolving quantified bit-vector formulas. In Proc. FMCAD, pages 239–246. IEEE, 2010.

53


A Table: Completeness results for bit-vector logics

quantifiersno yes

uninterpreted functions uninterpreted functionsno yes no yes

encodingunary NP NP PSpace NExpTimebinary NExpTime NExpTime ? 2-NExpTime

Table 1: Completeness results for various bit-vector logics considering different encodings

B Example: A reduction of DQBF to QF BV2

Consider the following DQBF formula:

∀u0, u1, u2∃x(u0), y(u1, u2) . (x ∨ y ∨ ¬u0 ∨ ¬u1) ∧(x ∨ ¬y ∨ u0 ∨ ¬u1 ∨ ¬u2) ∧(x ∨ ¬y ∨ ¬u0 ∨ ¬u1 ∨ u2) ∧(¬x ∨ y ∨ ¬u0 ∨ ¬u2) ∧(¬x ∨ ¬y ∨ u0 ∨ u1 ∨ ¬u2)

This DQBF formula is unsatisfiable. Let us note that by adding one more dependency for y, oreven by making x and y dependent on all uis, the resulting QBF formula becomes satisfiable.

Using the reduction in Sect. 3.1, this formula is translated to the following QF BV2 formula:((X | Y |∼U0 |∼U1) & (X |∼Y | U0 |∼U1 |∼U2) & (X |∼Y |∼U0 |∼U1 | U2) &

(∼X | Y |∼U0 |∼U2) & (∼X |∼Y | U0 | U1 |∼U2))

=∼0[8] ∧∧i∈0,1,2

(((Ui (1 i)) + Ui

)= ∼0[8]

)∧

(X & U1) =((X (1 1)) & U1

)∧

(X & U2) =((X (1 2)) & U2

)∧

(Y & U0) =((Y (1 0)) & U0

)(5)

In the following, let us show that this formula is also unsatisfiable. Note that M30 = 55

[8]16 =

01010101[8]2 , M3

1 = 33[8]16 = 00110011

[8]2 , and M3

2 = 0F[8]16 = 00001111

[8]2 , where “·16” resp. “·2”

denotes hexadecimal resp. binary encoding of the binary magic numbers.In the following, let us show that the formula (5) is also unsatisfiable. First, we show how

the bits of X get restricted by the constraints introduced above. Let us denote the originallyunrestricted bits of X with x7, x6, . . . , x0. Since the bit-vectors

(X & U1) =(0, 0, X[5], X[4], 0, 0, X[1], X[0]

)and (

(X (1 1)) & U1

)=(0, 0, X[7], X[6], 0, 0, X[3], X[2]

)54


are forced to be equal, some bits of X should coincide, as follows:

X :=(x5, x4, x5, x4, x1, x0, x1, x0

)Furthermore, considering also the equation of

(X & U2) =(0, 0, 0, 0, X[3], X[2], X[1], X[0]

)and (

(X (1 2)) & U2

)=(0, 0, 0, 0, X[7], X[6], X[5], X[4]

)results in

X :=(x1, x0, x1, x0, x1, x0, x1, x0

)In a similar fashion, the bits of Y are constrained as follows:

Y :=(y6, y6, y4, y4, y2, y2, y0, y0

)In order to show that the formula (5) is unsatisfiable, let us evaluate the “clauses” in theformula:

(X | Y |∼U0 |∼U1) =(

1 , 1 , 1 , x0 ∨ y4 , 1 , 1 , 1 , x0 ∨ y0)

(X |∼Y | U0 |∼U1 |∼U2) =(

1 , 1 , 1 , 1 , 1 , 1 , x1 ∨ ¬y0 , 1)

(X |∼Y |∼U0 |∼U1 | U2) =(

1 , 1 , 1 , x0 ∨ ¬y4 , 1 , 1 , 1 , 1)

(∼X | Y |∼U0 |∼U2) =(

1 , 1 , 1 , 1 , 1 , ¬x0 ∨ y2 , 1 , ¬x0 ∨ y0)

(∼X |∼Y | U0 | U1 |∼U2) =(

1 , 1 , 1 , 1 , ¬x1 ∨ ¬y2 , 1 , 1 , 1)

By applying bitwise and to them, we get the bit-vector represented by the formula (5):

111

(x0 ∨ ¬y4) ∧ (x0 ∨ y4)¬x1 ∨ ¬y2¬x0 ∨ y2x1 ∨ ¬y0

(x0 ∨ y0) ∧ (¬x0 ∨ y0)

=

111x0

¬x1 ∨ ¬y2¬x0 ∨ y2x1 ∨ ¬y0

y0

In order to check if every bits of this bit-vector can evaluate to 1, it is sufficient to try to satisfythe set of the above (propositional) clauses. It is easy to see that this clause set is unsatisfiable,since by unit propagation x1 and y2 must be 1, which contradicts with the clause ¬x1 ∨ ¬y2.

55

A Machine Learning Technique for Hardness

Estimation of QFBV SMT Problems

(Work in progress)Mohammad Abdul Aziz, Amr Wassal and Nevine Darwish

Computer Engineering Department, Cairo University, Cairo, [email protected]

a.wassal,[email protected]

Abstract

In this paper, we present a new approach for measuring the expected runtimes (hard-ness) of SMT problems. The required features, the statistical hardness model used andthe machine learning technique which we used are presented. The method is applied toestimate the hardness of problems in the Quantier Free Bit Vector (QFBV) theory andwe used four of the contesting solvers in SMTCOMP2011 to demonstrate the technique.We have qualitatively expanded some propositional SAT features existing in the literatureto directly work on general SMT problem instances without preprocessing. Experimentalresults with the standard set of benchmarks are promising and our implementation provesthe concept.

1 Introduction

Recently SMT has been attracting a lot of research interest because of the wide range ofapplications where it can be applied. It has been extensively used for formal verication ofhardware, software, security protocols as well as other applications. Interest in SMT solversresearch is increasing because of the expressive power they oer compared to SAT solvers.They allow easier ways to solve more complex problems. In addition, due to the theory specicdecision procedures on which they are based they give a better performance than general rstorder logic solvers. In [1] a very good treatment of dierent SMT solving techniques, applicationsand other issues is presented.

Accurate hardness (i.e. solution runtime) evaluation of SMT problem instances will impactbuilding SMT solvers portfolios, where it can help in choosing the solver having the leastexpected runtime, portfolios between SMT solvers and solvers of other types of encodings ofthe same problem, where it can be used to choose an SMT solver or another solver of a dierentencoding of the same problem whichever has less expected runtime. The proposed approachis also characterized by ecient feature extraction time. This is achieved by devising featuresthat work directly on general problems without any need for the problem to be in a standard ornormal form. In our research, we have used problem benchmarks from the SMT-Lib benchmarksrepository. This constitutes a large variety of problems; from industrial problems to randomlygenerated problems to hand crafted problems. [11] is a good reference about the SMT-Libinitiative, the SMT-Lib v2 language, the logics it supports, the theories it supports and thecompatible solvers. We have chosen QFBV logic because the largest repository of benchmarksis for that logic. It also has wide applications in the verication of systems such as softwareverication, hardware verication, cryptographic protocols verication and dierent encodingsof various classical optimization problems. Nevertheless, the method that we propose can begeneralized to other logics.

In the next section we will refer to relevant work in the literature. In section 3 we will describeour main approach and our assumptions regarding the SMT problems and their hardness. In

56 Pascal Fontaine, Amit Goel (eds.); SMT 2012, pp. 5665

[email protected]

a.wassal,[email protected]

Hardness Estimation of QFBV SMT Problems M. Abdul Aziz, A. Wassal, N. Darwish

section 4 we describe the features that we used to characterize the SMT problems. In section 5we describe our experimental setup and the experimental results that we obtained. In sections6 and 7 we conclude and state our suggested steps for future work.

2 Related Work

The literature is rich with publications related to empirical hardness evaluation of problemsin Articial Intelligence (AI). Other relevant eorts have been addressed in research related toalgorithm selection. References like [2, 3, 4, 5, 6] address these questions in a statistical machinelearning setting. Based on a training set of performance data for a large number of probleminstances, a model is learned that maps (problem, algorithm) pairs to expected performance.The most relevant to our work is the Estimation of hardness of propositional SAT problems.This work is well established and has started early since [7] and [8], which considered theempirical performance analysis of DPLL-type SAT solvers running on uniform random k-SATinstances. Specically, it nds a strong correlation between the instance's hardness and theratio of the number of clauses to the number of variables in the instance. For example, it isempirically well established that for random SAT problems the hardest clause to variable ratio.For instance, for random 3-SAT a clauses-to-variables ratio of roughly 4.26 corresponds to aphase transition in an algorithm-independent property of the instance. In other words, thistransition is in the probability that a randomly generated formula having a given ratio willbe satisable. This discovery and others such as islands of tractability in [18], search spacetopologies for stochastic local search algorithms in [16] and [17], backbones in [19], backdoorsin [20] and random restarts in [15], prove that empirical complexity analysis of the problemis useful in discovering some inherent properties in the SAT problem instances independentof the solver's algorithm as well as deepen our understanding of the SAT problem in general.Most relevant to our approach is the work in [9], which is the approach that we have used as astarting point to our work.

3 Main Approach

In this paper we try to devise a technique that can be used in estimating the hardness of SMTproblems. Our technique deals directly with general SMT problems i.e. no preprocessing ofthe problem is required and the problem doesn't have to be in some normal form (such as3-CNF). We will rst start with our the general model of the SMT problem that we chose.Next we describe how an SMT solver solves it and how should this aect the expected hardnessmodel. The SMT problem can be modeled by the tree as shown in Fig. 1. In this model, theproblems are made of a tree whose inner nodes are functions and the leaf nodes are uninterpretedconstants. In the shown tree the white circular nodes are Boolean functions which belong to thecore theory (for instance

∧,∨, −→, etc. . . ), the grey rectangular nodes are theory T functions

which have a Boolean codomain, and a theory sort domain (such as bvuge in the QFBV theory)and the grey triangular nodes are functions which have as a domain and a codomain T theorysorts (such as bvadd in the QFBV theory). The black and grey circular nodes are Booleanand theory T uninterpreted constants, respectively. An SMT solver of the lazy approach willsolve this problem by dealing with the entire problem as a propositional SAT problem, where itwill search for Boolean assignments of Boolean uninterpreted constants and the theory atoms(subtrees which have the rectangular nodes in the tree representation as their heads). Afterthe SAT solver nds a model for this SAT problem, the assignments of the theory atoms are

57


delivered to the theory specic decision procedure, which checks whether this assignment of thetheory atoms is satisable or not according to the structure of the theory subtrees. It passesthe justication in case of an unsatisable assignment, or it returns the model of the theoryuninterpreted constants if the model is satisable. We hypothesize that the hardness H can bemodeled as follows

H = fa(HSAT , HTH , HHYBRID). (1)

Figure 1: A graphical representation of an SMT problem. The white circular nodes are booleanfunctions, the black circular nodes are boolean uninterpreted constants and the grey nodes areT theory functions or uninterpreted constants.

where the variableHSAT is the hardness of the propositional SAT structure of the SMT problem,HTH is the hardness of the theory formula, which contains the conjunction of theory atoms inthe SMT problem and the variable HHYBRID is the hardness introduced by the interactionsand dependencies between the propositional SAT and the theory portions of the problem andfa() is a function that increases with HSAT , HTH and HHYBRID. According to the way wemodeled the hardness of an SMT problem, a statistical hardness model should include threedisjoint sets of features. Each of these sets should be estimating one part of the hardness of theproblem. We assume that each of the parts of the problem hardness will be a linear combinationof the set of its corresponding set of features. This means that each part of the hardness canbe represented by this equation

Hp = kp +

np∑i=1

αixpi, [p : p ∈ [SAT, TH,HY BRID]], (2)

where xp is a feature in the set of features of the hardness part p and np is the number offeatures to represent the part p and kp is a constant. We put this methodology in mind todevise features for each of the parts of the problem hardness.

We follow the assumptions used by [4] to describe the model for the probability distributionof the average runtimes of a propositional SAT problems. In this model, a problem instance irepresented by a feature vector xi has a normal probability distribution for its expected runtime

58


with average fa(xi) and unity variance, where fa() is the hardness model of the solver algorithma.

According to these assumptions from [4], the distribution of the runtime ti of the problemcan be given by the equation

P (ti|xi, a) =e

−(ti−fa(xi))2

2

√2π

. (3)

Therefore for predicting the expected runtime of an instance we will have to learn the hardnessmodel fa() given the set of (feature vector, runtimes) mappings for a set of problem instances.We chose the model to predict the logarithm of the run time instead of the runtime itself tomake training the model more ecient and easier due to the large variation in the runtimesthat solvers experience according to [4].

We chose the function fa() to be a linear model, where a vector w, of coecients to bemultiplied by the feature vector xi and a constant term, is used to get the expectation of thenatural logarithm of the runtime. That is the expected logarithm yi of the runtime is given by

yi = fa(xi) = wT .xi . (4)

According to this linear model, the expected runtime is a weighted linear combination thefeatures that represent the problem instance and since this set of features is the union of thehardness parts sets of features, then the function fa() which is equivalent to the total expectedhardness will be

fa(HSAT , HTH , HHYBRID) = H = α1HSAT + α2HTH + α3HHYBRID. (5)

which is the weigthed sum of the dierent parts of the problem's hardness where α1,α2 and α3

are the corresponding weights.To get the vector of coecients w, we used ridge regression. Specically to get w we will

have to solve the matrix equation

Xw = Y . (6)

where X is the matrix containing the concatenation of the feature vectors of the training setxi, Y is the vector containing the concatenation of the runtimes yi corresponding to each of thefeature vectors in X. We use ridge regression to get the solution for w, which is

w = (XTX + αI)−1XTY . (7)

where α is the Tikhonov factor (Regularization Factor), I is the identity matrix.Although it has a limited hypothesis space, we chose a linear model because of the eciency

of learning it as well as using it to calculate the predicted runtimes which can be useful inapplications such as portfolios.

4 Features

Features chosen are to estimate the rst two components in the assumed model of the runtime,namely, HSAT and HTH . We assume that HHYBRID will be represented only in the constantfactor in the linear model. For the features that represent the propositional SAT structureof the SMT problem, we have used some of the features in [9] as our starting point but after

59


adapting them to suit the richer expressive power of SMT compared to conjunctive normal form(CNF) SAT problems treated in [9] as well as the general structured problems that we want totackle. The rst set of features we used was the number of clauses, the number of variables, theratio of clauses to variables and its reciprocal. The equivalent set of features we used for thesewere the following; associated with each of the modied features is a qualitative justicationwe used to derive it:I)For the number of clauses we used the following features:

• NANDS= The number of arguments to all the∧

functions in the SMT problem.

Justication: each∧

function argument can be considered as a clause.

• NA= The number of asserted Formulas

Justication: because the SMT problem is equivalent to a clause containing the conjunction ofall the assertions in the problem.

• NEQUAL= The summation of the number of the arguments to all the = functions inthe SMT problem. This includes those whose arguments are boolean variables only.

Justication: we rst derive the number of clauses needed to represent a single equal statement.x1 = x2 is equivalent to two clauses which are (x2

∨¬x1)

∧(x1

∨¬x2).

An equal statement containing n arguments ( x1 = x2 = x3 = . . . = xn) can be repre-sented by a conjunction of 2 argument equalities of the form (x1 = x2

∧x2 = x3 . . . xn−2 =

xn−1

∧xn−1 = xn ), which will be a conjuntion of (n − 1) corresponding 2 argument equality

statements. Since each 2 arguments equality is equivalent to a couple of binary clauses, thenthe n arguments equality statement can represented by 2(n− 1) binary clauses.

• NDISTINCT= The summation of the number of the arguments to all the distinct functionsin the SMT problem (This has the same justications of the = function).

• NIMPLY= The number of instances of −→ function in the SMT problem.

The justication:a −→ b is equivalent to (¬a

∨b)∧true, which is equivalent to one clause.

• NXOR= The number of the xor functions in the SMT problem.

The justication:xor(a, b) is equivalent to (¬a

∨¬b)

∧(b∨a), which is equivalent to two clauses.

• NITE= The number of instances of ite function.

The justication:ite(a, b, c) is equivalent to (b

∨¬a)

∧(a∨c)∧(b∨c), which are 3 clauses.

II)For the number of variables we used:

• NBOOL= Number of Boolean uninterpreted constants( These are variables to nd a sub-stitution for.)

• NTHEORY−ATOMS= The number of theory atoms in the SMT problem(The justicationfor this is that; for the propositional SAT solver part of the SMT solver, the theory atomsare substituted and dealt with as if they are Boolean variables i.e. They are assigned thevalues either true or false).

60


III)To measure the equivalent number of clauses, we have weigthed the number of instances ofeach of the boolean functions, and accordingly for the clauses to variables ratio and its reciprocalwe used:

• C/V = (NA + NANDS + 2(NEQUAL − 1) + 2(NDISTINCT − 1) + NIMPLY + NXOR +3NITE)/(NBOOL +NTHEORY−ATOMS)

• V/C

The next two subsets of the features of the propositional SAT structure of SMT problemsare adapted versions of the graphical representation of propositional SAT problems used in [9],namely; The Variable Clause Graph, and the Variables Graph. We have replaced the variable-clause graph with three bipartite graphs. Each of these graphs contained a party for the booleanvariables and another one for the instances of one of the functions that comprised the clausesin the SMT problem. An edge exists between a node in the variables party and a node in thefunction instances party if this variable is an argument for this function instance. We havethree of these graphs; one for the

∧function, another for the = function and a last for the

distinct function. We expect that most of the constraints in the propositional SAT problemare represented in those functions, due to their massive usage of them in the benchmarks. Wealso generalized the Variables Graph to a graph which has a node per Boolean uninterpretedconstant, where an edge exists between any two nodes if they are common arguments for oneor more Boolean function (given that the function is one of the functions which are consideredin the number of clauses features set).

For the features which we used to estimate the theory part of the SMT problem, which inour case was QFBV, we used the total number of bits in the problem (i.e. the summation ofthe lengths of the bitvector uninterpreted constants in the problem)VBIT−V ECTORS , and thenumber of instances of QFBV functions used in the SMT problem. Fig. 2 shows a list of the71 used features classied according to the category of the feature.

5 Experimental Setup and Results

We use benchmarks on the QFBV benchmark repository of SMT-Lib. We chose this benchmarkrepository because it contains a wide variety of problems; industrial, randomly generated prob-lems and handcrafted problems. We have used all the 33000 of these bechmarks for trainingand validation and to obtain the average of 10-fold validation root mean square error (RMSE).We used a feature extraction timeout of 20 seconds, which resulted in using 23433 probleminstances in obtaining our results, with an average feature extraction time 2.453 seconds. Ofthese problems there was 10353 satisable instances and 13080 unsatisable instances. Theonly preprocessing step which we applied to the SMT problems was to remove the let bindingsby substituting them with their corresponding bindings. For the runtimes, we have used theruntime data from the diculty-computation-2012 on the SMTEXEC cluster where a timeoutof 1800 seconds limited the runtimes of the solvers. Interested readers can refer to [12] for moredetails regarding the benchmarks and the SMTEXEC cluster used for collecting the runtimedata. We have also added 0.5 to all of the runtimes, because limits on the resolution of theruntimes reports by SMTEXEC have led to problem instances which have runtimes of zero sec-onds, which could have led to a logarithm of −∞. After extracting the features we normalizedeach of them to be between 0 and 1. For learning the linear model, we used ridge regressionwith a Tikhonov factor of 0.05 (as recommended in the work of [9]).

61


I. Propositional SAT features

1. Boolean variables and Clauses features: 3. Boolean Variables-∧

function graph features:

NA -Boolean variables nodes degree average, entropy,

NANDS maximum, minimum and variation coecient.

NEQUAL -∧function node degree average, entropy, maximum,

NDISTINCT minimum and variation coecient.

NIMPLY 4. Boolean Variables-distinct function graph features:

NXOR -Boolean variables nodes degree average, entropy,

NITE maximum, minimum and variation coecient.

NBOOL -distinct function node degree average, entropy, maximum,

NTHEORY −ATOMS minimum and variation coecient.

V/C 5. Boolean Variables-= function graph features:

C/V -Boolean variables nodes degree average, entropy,

2. Boolean Variables graph features: maximum, minimum and variation coecient.

-Boolean variables nodes degree average, -=function node degree average, entropy, maximum,

entropy, maximum, minimum and variation coecient. minimum and variation coecient.

II. QFBV theory specic features

1. Number of theory variables:

VBIT−V ECTORS

2. Instances of QFBV theory functions:

bvand, bvsub, bvuge,bvugt, bvxor,

bvnot, bvneg, bvor, bvadd, bvmul, bvudiv,

bvxor, bvsle, shlok, addok, bvashr, bvsdiv,

bvurem, bvshl, bvlshr, bvult, bvslt, bvule.

Figure 2: A list of the features used for estimating the hardness of SMT problems, classiedaccording to their category.

Solver/Model SAT UNSAT SAT/UNSAT

BOOLECTOR 0.1494 0.3082 0.2672

MATHSAT 0.1353 0.5851 0.2155

SONOLAR 0.1920 0.3877 0.2320

STP2 0.1346 0.3442 0.3166

Figure 3: The RMSE of the prediction of the logarithms of the runtimes for dierent modelsfor the dierent solvers.

The solvers which were used to get these runtimes were Boolector, MATHSAT, STP2 andSONOLAR. These solvers are based on dierent approaches for solving the QFBV problems.Boolector, SONOLAR and STP2 use bit-blasting to solve QFBV SMT problems ([13], [14] and[22]). Mathsat, on the other hand, uses the lazy approach to solve the QFBV SMT problems([21]).

We have used directly all the features demonstrated in gure 2, except for the features thatwere representing unused functions in all the problem instances (e.g. the XOR function). UsingRidge regression, we learnt a model for each of the previously stated solvers that predicted thelogarithms of the runtimes. Figure 4 shows the correlation between the predicted logarithmof runtimes and the actual logarithms of runtimes. The 10-fold cross validation RMSE of the

62


prediction of the runtimes logarithm for each of the solvers' model are in the third column ofthe table in gure 3.

According to [9], the prediction performance of a propositional SAT problem instance hard-ness model will signicantly improve if a model was devised for satisable problems and anotherfor unsatisable problems. We tried this for QFBV SMT problems, and the results were animprovement in the RMSE of the satisable problems model. On the other hand, a detoriora-tion has happened to the RMSE of the models of the unsatisable problems. Figure 5 showsthe correlation of the predicted and the actual runtimes for the satisable and the unsatisableproblem instances for the dierent solver models. The rst and second columns in the table ingure 3 show the RMSE of the satisable and unsatisable instances respectively for the dier-ent solvers. However, these results for the SMT problems at hand contradict with the resultsreached in [9], where here the satisable problems are more correlated with the prediction un-like the results reached in [9], where the unsatisable problems were the more correlated. Onepossible explanation of the uncertainty of the predictions of the unsatisable problem instances,is that we did not use any of the DPLL probing features, which were the most important in pre-dicting the runtimes of unsatisable problem instances according to [9]. This seems reasonable,because the runtimes of the unsatisable problem instances will most probably be discriminatedwith reasonable certainty by having a low number of assigned variables by applying a probingtechnique for a xed time.

6 Conclusion

To conclude, we have devised a technique for the hardness estimation of SMT problems, whichup to our knowledge, is the rst trial of its kind. We achieved relatively good results withcheeply computed features on a large variety of problems and solvers. Although our approachwas based on an approach targeting random SAT problems and was based on a linear model,it worked on problems whose majority are industrial. The main advantages of our work areboth its simplicity and generality. It can be used for general SMT problems. It provides ageneral technique which is based on the structure of the SMT problem independent of theunderlying logic(s). The features we used spared us from any preprocessing of the problems,such as the conversion of the problem to k-CNF or any other standard form, which helpssaving time making them more usable in applications such as portfolios. Although our modelof the problem hardness assumed that the solver will use the lazy approach in solving the SMTproblem, it worked with signicant accuracy for both types of solvers. This means that thefeatures suggested by us extract problem inherent properties that represent the hardness of theproblem and are solver independent.

7 Future Work

This research is a promising prototype and a proof of concept. We recommend trying it ondierent theories and to try it on problems made of theory combinations and expect it willperform well.

For the features, we think that incorporating a probing technique (for instance an SMTsolver can be run for a xed period, and statistics such as number of restarts, conicts, binarypropagations, etc...) would signicantly improve the preformance of the prediction, escpeciallyfor the unsatisable instances. We also recommend further research to nd some adaptationof the Clauses Graph ([9]) and check how this would aect the prediction eciency. We also

63


recommend to explore more features and check the eect of adding features related to theinteraction part such as theory variables- theory functions graphs, and theory variables- clausesgraphs. Another approach for dealing with the let bindings can lead to great savings in thefeatures extraction time (Currently we are experimenting with the DAG representation of SMTproblems instead of the tree representation which we used).

References

[1] Biere, A., Huele, M., Maaren, V., Walsh, T.: The Handbook Of Satisability, chapter 25, Satis-ability Modulo Theory (2009)

[2] Rice, J.R.: The algorithm selection problem. Advances in computers. 15, 65-118. Academic Press,New York (1976)

[3] Gogiolo, M., Schmidthuber, J.: Learning Dynamic Algorithm Portfolios. Annals of Mathematicsand Articial Intelligence, Volume 47 Issue 3-4, August 2006

[4] Xu, L., Hutter, F., Hoos, H.H., Leyton-Brown, K.: SATzilla Portfolio-based Algorithm Selectionfor SAT. J. of Articial Intelligence Research 32, 565-606 (2008)

[5] The portfolio based rst order logic theorem prover E-SETHEO, http://www4.informatik.

tu-muenchen.de/schulz/WORK/e-setheo.html

[6] Gomes, C., Selman, S.: Algorithm Portfolios. Articial Intelligence Journal, Vol. 126, 43-62 (2001)

[7] Selman, B., Mitchell, D., Levesque, H.J.: Generating hard satisability problems. Articial Intel-ligence, 81(1-2):17.29 (1996)

[8] P. Cheeseman, B. Kanefsky, and W. M. Taylor. Where the Really Hard Problems Are. In: Proc.IJCAI-1991, pages 331.337 (1991)

[9] Nudelman, E., Leyton-Brown, K., Hoos, H.H., Devkar, A., Shoham, Y.:Understanding RandomSAT: Beyond the Clauses-to-Variables Ratio. In: Principles and Practice of Constraint Program-ming - CP 2004, 10th International Conference, CP 2004, Toronto, Canada, September 27 -October 1, 2004, Proceedings, Vol. 3258, pp. 438-452 (2004)

[10] Guyon, I., Gunn, S., Nikravesh, M., Zadeh, L.: Feature Extraction, Foundations and Applications.Springer. (2006)

[11] Barrett, C., Stump, A., Tinelli, C.: The SMT-LIBv2 Language and Tools: A Tutorial (2010)

[12] The SMTEXEC website, http://www.smtexec.org/

[13] Brummayer,R., and Biere, A.: Boolector: An Ecient SMT Solver for Bit-Vectors and Arrays.In: Proc. 15th Intl. Conf. on Tools and Algorithms for the Construction and Analysis of Systems(TACAS'09), Lecture Notes in Computer Science (LNCS), vol. 5505, pages 174-177, Springer(2009)

[14] Biere, A.: PicoSAT Essentials. Journal on Satisability, Boolean Modeling and Computation 475-97 (2008)

[15] Gomes, C., Selman, B., Crato, N., and Kautz, H.: Heavy-tailed phenomena in satisability andconstraint satisfaction problems. J. of Automated Reasoning, 24(1):67100 (2000)

[16] Hoos, H., and Stutzle, T.: Stochastic Local SearchFoundations and Applications. Morgan Kauf-mann (2004)

[17] Hoos, H.: SAT-encodings, search space structure, and local search performance. In: Proc. IJCAI-99, pages 296302. Morgan Kaufmann (1999)

[18] Phokion Kolaitis: Constraint satisfaction, databases and logic. In: Proc. IJCAI-2003, pages15871595 (2003)

[19] Monasson, R., Zecchina, R., Kirkpatrick, S., Selman, B., and Troyansky, L.: Determining com-putational complexity from characteristic 'phase transitions'. Nature, 400:133137 (1999)

64

http://www4.informatik.tu-muenchen.de/schulz/WORK/e-setheo.html

http://www4.informatik.tu-muenchen.de/schulz/WORK/e-setheo.html

http://www.smtexec.org/


Figure 4: The results for a single model for both satisable and unsatisable problems shownoisy correlation between actual and predicted logarithms of runtimes. The shown gures fromleft to right are for Boolector, MATHSAT, SONOLAR and STP2.

Figure 5: The results for a seperate model for satisiable and unsatisable problems. Theupper four graphs are for the models of the satisable instances, and the lower are for theunsatisable instances. The shown gures from left to right are for Boolector, MATHSAT,SONOLAR and STP2. The models for the satisable models show better correlation resultsthan the unsatisable models.

[20] Williams, R., Gomes, C., and Selman, B.: Backdoors to typical case complexity. In: Proc. IJCAI-2003, pages 11731178 (2003)

[21] Bruttomesso, R. ,Cimatti, A., Franz, A.,Griggio , A., Hanna, Z., Nadel, A., Palti, A. , andSebastiani, R.: A Lazy and Layered SMT(BV ) Solver for Hard Industrial Verication Problems.In proc. International Conference on Computer-Aided Verication, CAV 2007 (2007)

[22] Ganesh, V., and Dill, D.: A Decision Procedure for Bit-Vectors and Arrays. In proc. InternationalConference on Computer-Aided Verication, CAV 2007 (2007)

65

Reachability Modulo Theory Library

(Extended Abstract)

Francesco AlbertiFormal Verification and Security Lab.

University of Lugano, [email protected]

Roberto BruttomessoAtrenta

Grenoble, [email protected]

Silvio GhilardiUniversita degli Studi di Milano

Milan, [email protected]

Silvio RaniseFBK - Irst

Trento, [email protected]

Natasha SharyginaFormal Verification and Security Lab.

University of Lugano, [email protected]

Abstract

Reachability analysis of infinite-state systems plays a central role in many verificationtasks. In the last decade, SMT-Solvers have been exploited within many verification toolsto discharge proof obligations arising from reachability analysis. Despite this, as of todaythere is no standard language to deal with transition systems specified in the SMT-LIBformat. This paper is a first proposal for a new SMT-based verification language that issuitable for defining transition systems and safety properties.

1 Introduction

Reachability analysis plays a central role in many verification tasks. This kind of analysisaddresses the problem of verifying if a given system can reach a particular configuration ofinterest, representing, e.g., the violation of properties which should be satisfied by every statereachable by the system, a goal that should be always reachable, etc.

While a finite-state representation is well-suited to formally represent hardware systems, itfails to deal with several aspects of software systems, because they give rise to infinite statespaces. Examples of such aspects include parameterization, i.e., systems with an unboundednumbers of components, systems handling variables defined over unbounded domains, dynamicprocesses creation and memory allocation, etc. The reachability problem for infinite-statesystems is, in general, undecidable. Nonetheless it received—and still is receiving—a lot ofattention, as many verification tasks of real systems can be reduced to it. For example, thinkabout a protocol ensuring the mutual exclusion in a multi-agent system. The configuration ofinterest is that in which at least two agents are, at the same time, in the critical section.

It is not difficult to see that the class of infinite-state systems is huge, ranging from im-perative programs to parameterized protocols, access control policies, timed automata, etc.Each class of systems requires ad hoc techniques, heuristics, algorithms and arrangements toeffectively perform a reachability analysis. Since there is no standard for the specification ofinfinite-state systems, it is extremely difficult to evaluate and compare different tools solv-ing the same problems. Furthermore, there is no collection of benchmarks which would beextremely useful in helping developers in advancing the performance of their tools. Threenotable exceptions are (1) the Intermediate Verification Languages (IVLs) for program verifi-cation such as Boogie [3] and Why [9], (2) the Numerical Transition Systems (NTSs) Library(richmodels.epfl.ch/ntscomp) whose aim is to provide a common general format and a openlibrary of benchmarks for NTSs, i.e. simple models of computation involving infinite (or verylarge) data domains, such as integers, rationals or reals, and (3) the Verification Modulo Theo-ries (VMT) Initiative (www.vmt-lib.org) whose ambitious goal is to provide a common format


[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

richmodels.epfl.ch/ntscomp

www.vmt-lib.org

Reachability Modulo Theory Library F. Alberti et al.

and a library of verification problems for transition systems symbolically described in the SMT-LIB standard.

The aim of this paper is to propose a new language for the specification of an important classof reachability problems for infinite-state systems, represented in an extension of the SMT-LIBlanguage, so that a collection of benchmarks can be built and verification tools can be comparedmeaningfully. On the one hand, our aim is more general than IVLs and the NTS Library sincewe consider a larger class of systems; e.g., not only programs or counter automata but alsodistributed systems and timed networks. On the other hand, we are more focused than theVMT Initiative since we consider only reachability problems based on our experience with thetools mcmt [13] and Safari [1].

For the sake of simplicity and uniformity in presenting our language, we do not considerad-hoc constructs (e.g., abstract reachability trees) for structure preserving abstractions of thecontrol-flow, the recursive or the multi-procedure calls of (imperative) programs that are im-portant ingredients of many software verification techniques for reachability problems. Thestudy of how to combine our proposal with such constructs is left to future work. Some prelim-inary investigations to represent imperative programs (without recursion and procedures) in adeclarative framework similar to the one proposed here have been done in [1].

We hope that this paper can contribute to the debate about the representation of bench-marks for verification problems and advance the state of the art in the field, as happened for,e.g., the SMT-LIB library [18] for SMT-Solvers, TPTP library [20] for theorem proving, orSATLIB library [15] for propositional satisfiability solvers.

Outline of the paper. We introduce an overall description of transition systems modulotheories and the related reachability problem in Section 2. Section 3 presents a suitable languagefor the definition of transition systems and reachability problems as an extension of the SMT-LIB. We conclude in Section 4. An extended version of this report as well as examples writtenin the proposed language can be found at http://www.oprover.org/rmt-lib.

2 SMT-based Transition Systems

We assume the usual first-order syntactic notions of signature, term, formula, and so on. Fol-lowing the SMT-LIB tradition, a theory is a pair T = (Σ, C) where Σ is a signature and C a setof Σ-structures which are called models of T . Given a theory T = (Σ, C) and a set v of “fresh”constant, function, or predicate symbols (i.e. v ∩ Σ = ∅), a T -formula φ(v) is a formula builtout of the symbols in v ∪ Σ. The formula φ can be seen as a Tv-formula where Tv = (Σ′, C′)with Σ′ = Σ ∪ v and C′ contains all the Σ′-structures whose reduct to Σ is a model of T .1 Wesay that a T -formula φ(v) is T -satisfiable iff φ is Tv-satisfiable, i.e. if there exists a model Mof Tv such that φ is true in M. If v and v′ are two sets of fresh symbols, then v,v′ denotestheir union v ∪ v′ and φ(v,v′) is the formula built out of the symbols in v ∪ v′ ∪ Σ.

In our framework, a transition system over a background theory T = (Σ, C) is defined ina completely declarative way as a tuple ST = (v, I(v), τ(v,v′)). The set v of fresh symbolsis called the set of state variables of ST ; a formula φ(v) is called a state formula. I(v) is astate formula representing the set of initial states. We assume the availability of the set v′ ofprimed copies of the state variables in v; a formula τ(v,v′) is called a transition formula. Thetransition formula τ(v,v′) represents the transition relation, defining an association between

1Let Σ and Σ′ be two signatures such that Σ ⊆ Σ′. If M is a Σ′-structure, then its reduct to Σ is obtainedfrom M by forgetting the interpretations of the symbols in Σ′ \ Σ.

67

http://www.oprover.org/rmt-lib


the state variables v immediately before the execution of the transition, i.e. in the actual state,and the state variables v′ immediately after the execution of the transition, i.e. in the nextstate. The nature of T determines if ST is a finite- or infinite-state system.

Let ST = (v, I(v), τ(v,v′)) be a transition system over a background theory T and vn beobtained from the set v by renaming a copy of each state variable in v with n primes. The(unbounded) reachability problem for ST is defined as a pair (ST , F (v)) where F (v) is a stateformula describing a (possibly infinite) set of states, called final, error or goal states. Thesolution of this problem exists, i.e., a set of states represented by F (v) is reachable by ST if itexists n ≥ 0 such that

I(v(0)) ∧ τ(v(0),v(1)) ∧ · · · ∧ τ(v(n−1),v(n)) ∧ F (v(n)) (1)

is T -satisfiable. When, besides the transition system ST and the final formula F (v), a boundn ≥ 0 is known, we speak of the bounded reachability problem for ST . A solution to this problemexists if there exists 0 ≤ n ≤ n such that (1) is T -satisfiable. In the following, we focus onunbounded reachability problems since their bounded version has received a lot of attention inthe SMT literature; e.g., [16] discusses the problem of using the SMT-LIB language to specifytransition systems in the context of Bounded Model Checking (BMC) and, more recently, [17]puts forward the need for a common standard for BMC problems. Indeed, our proposal can beeasily adapted to bounded reachability problems.

A well-known method (see, e.g., [19]) to solve the reachability problem amounts to repeatedlycomputing pre-images (post-images) of a final (initial) formula with respect to the transitionformula. Formally, given a set s(v) of states and a transition formula τ(v,v′), the post-imageof s(v) w.r.t. τ(v,v′) is the formula ∃v′.(s(v′) ∧ τ(v′,v)), while the pre-image is the formula∃v′.(s(v′) ∧ τ(v,v′)). The reachability procedure terminates in two cases. The former is whena fix-point is reached, i.e. when the set of states described by the pre-image (post-image, resp.)computed at the n-th iteration is a sub-set of the set of states represented by the union of all thepre-images (post-image, resp.) computed in previous iterations (this is called a fix-point test).The latter is when the intersection of the currently computed pre-image (post-image, resp.) withthe set of initial (final, resp.) states is non-empty (this is called a safety test). Roughly, the ideais to unwind the transition formula until either all reachable states of ST have been exploredor an instance of (1) is found to be satisfiable for a certain n.2 Formally, the intersectionbetween two set s1(v) and s2(v) of states is empty iff the state formula s1(v) ∧ s2(v) is T -unsatisfiable and the set s1(v) is a sub-set of the set s2(v) iff the state formula s1(v) ∧ ¬s2(v)is T -unsatisfiable. We observe that, when the set v of state variables contains function andpredicate symbols, the formulae defining post- and pre-images are second-order formulae. Toavoid T -satisfiability checks involving second-order formulae, we assume that it is possible tocompute first-order formulae that are equivalent to the second order post- or pre-images so thatsafety and fix-point tests can be mechanized by currently available SMT solvers. In many casesof practical interest, this assumption holds as there is a close relationship between second orderlogic and many-sorted first-order logic (see [8] for details). An alternative to stay in the realmof first-order logic is to encode functions and predicates into the theory of arrays as done, forexample, in [12].

A naive implementation of the reachability procedure is based on a client-server architecture.The client repeatedly computes pre- or post-images and generates the proof obligations encodingfix-point and safety checks. The server is an SMT solver capable of discharging the proofobligations generated by the client. In theory, suitable constraints on the background theoriesand the shape of the formulæ in the SMT-based transition system should be identified to

2Other techniques based on overapproximations of reachable states have been recently proposed [5].

68


guarantee the effectiveness of the reachability procedure, such as decidability of the satisfiabilityproblems encoding safety and fix-point tests, and representability of the fix-point within aclass of formulæ for termination. In practice, suitable algorithms and heuristics are needed toscale up to the verification of interesting systems. In these respects, a classification of SMT-based transition systems would be extremely helpful to help tools select the right techniques toefficiently explore the search space of a reachability problem.

Example 1. Consider a simplified variant of the Bakery algorithm in which a finite (butunknown) number of processes should be granted mutual exclusion to a critical section by usingtickets that uniquely identify processes. Processes are arranged in an array whose indexes (i.e.tickets) are linearly ordered and each process can be in one of three states: idle, wait, critical. Atthe beginning, all processes are in the idle state. There are three possible transitions involvinga single process with index z (in all transitions, the processes with index different from z remainin the same state): (τ1) z is in idle, all the processes to its left are idle, and z moves to wait;(τ2) z is in wait, all the processes to its right are idle, and z moves to critical; and (τ3) z is incritical and moves to idle. The system should satisfy the following mutual exclusion property:there are no two distinct processes in the critical section at the same time.

We define a background theory TB = (ΣB , CB) as follows. ΣB contains Ind and Loc as sortsymbols, three constant symbols i, w, and c of sort Loc, and a predicate symbol < (writteninfix) of arity Ind × Ind . A model in CB interprets < as a linear order over the elements in theinterpretation of Ind and Loc is a set of three elements, the interpretations of the constants i,w, and c.

The SMT-based symbolic transition system (vB , IB , τB) is defined as follows: vB is a sin-gleton containing the function symbol a of arity Ind → Loc, IB is the formula ∀z.a(z) = i, andτB is the disjunction of the following three formulae:

τ1(a, a′) := ∃z. ( a(z) = i ∧ ∀w.w < z → a(w) = i ∧ ∀j.a′(j) = ite(j = z, w, a(j) )τ2(a, a′) := ∃z. ( a(z) = w ∧ ∀w.z < w → a(w) = i ∧ ∀j.a′(j) = ite(j = z, c, a(j) )τ3(a, a′) := ∃z. ( a(z) = c ∧ ∀j.a′(j) = ite(j = z, i, a(j) ),

where z, w, j are variables of sort Ind .Finally, the error formula F can be written as ∃z1, z2.(z1 6= z2 ∧ a(z1) = c ∧ a(z2) = c),

where z1, z2 are variables of sort Ind .

Notice that TaB is the theory obtained by extending TB with the function symbol a that is

to be interpreted as a function mapping elements of the interpretation of Ind to elements of theinterpretation of Loc. Alternative formalization are possible. For example, we could have usedthe theory of arrays whose indexes are of sort Ind and whose elements are of sort Loc. The statevariable a is simply an array constant and an expression of the form ∀j.a′(j) = ite(j = z, c, a(j))in the τj ’s above could be written as a′ = store(a, j, c) for c a constant of sort Loc.

3 Proposal

We describe an extension of the SMT-LIB language that is suitable for specifying reachabilityproblems along the lines of Section 2. Our proposal extends the set of SMT-LIB v.2 scriptcommands in order to define the background theory, the state variables, the initial, transition,and goal formulae that together uniquely identify a reachability problem. As in the SMT-LIBstandard, a script is used to communicate with a tool in a read-eval-print loop in such a way thatthe next command is parsed, executed, and a response message printed until all commands areconsidered. Possible responses may vary from a single symbol (e.g., reachable, unreachable,

69


or unknown) to complex expressions like a (finite) sequence of formulae encoding the run of thesystem leading it from a state satisfying the initial formula to one satisfying the final formula.

In the following, we fix an SMT-based symbolic transition system S = (v, I(v), τ(v,v′))over a background theory T = (Σ, C) and a final formula F (v). Below, we let 〈symbol〉,〈numeral〉, 〈sort〉, 〈sorted var〉, and 〈term〉 be syntactic categories inherited from the SMT-LIB v.2 standard (see [4] for the definition).The background theory. The command

(set-theory 〈symbol〉 )allows us to specify the “kernel” of the background theory T identified by 〈symbol〉 and availableamong those defined in the SMT-LIB v.2 standard, e.g., Core, Ints, and ArraysEx.

Remark 1. In the SMT-LIB standard, a benchmark problem is associated with a logic thatidentifies both a class of models and a set of formulae. The main reason is that there may existsets of formulae of a theory that admits more efficient satisfiability procedures than other sets.For example, the satisfiability of conjunctions of difference logic constraints over the integers inwhich no negated equalities occur can be checked in polynomial time whereas the satisfiability ofarbitrary difference logic constraints becomes NP-complete. Instead, for a reachability problemwe specify a background theory (via the command set-theory) according to Section 2.

Our motivation is the following: there exist techniques (see, e.g., [2] for an example in aframework which is similar to the one proposed here) to over-approximate the set of reachablestates with simple formulae (e.g., containing only existential quantifiers) despite the fact thatthe formulae in the SMT-based transition system are more complex (e.g., they contain bothexistential and universal quantifiers as the disjuncts τ1 and τ2 of the transition formula inExample 1). If we used such an over-approximation of the fix-point in the safety test and thisis negative (i.e. the intersection is empty), we are entitled to conclude that also the safety testwith the exact fix-point is negative and the final formula is unreachable. Other techniques (see,e.g., [7, 14]) allows one to transform a complex reachability problem expressed with formulaecontaining quantifiers into one in which only quantifier-free formulae occur and such that theformer admits a solution if the latter does so. For example, the counting abstraction techniquein [7] transforms the formulae of cache coherence protocols into quantifier-free formulae ofLinear Arithmetic over the integers. The crucial advantage of this kind of techniques is adramatic simplification of the formulae encoding both the safety and the fix-point tests. Asa consequence, the satisfiability problems may become significantly simpler (sometimes, theresult is even to transform the problem into an equivalent one falling into a decidable class).

From the viewpoint of the specification of reachability problems, it is difficult (if possible atall) to foresee if the techniques discussed above can be applied and even what kind of transitionsystem they produce. In fact, not only the shape of the formulae may change but also thebackground theory of the transformed transition system can be different as the example of thecounting abstraction shows. Deeper insights into the techniques used by reachability proce-dures based on SMT techniques must be gained in order to design a more precise specificationlanguage.

The kernel theory can be extended by declaring additional sort and function symbols byusing standard SMT-LIB v.2 commands, such as declare-sort, define-sort, declare-fun,and define-fun (see [4] for their definition). The declared additional symbols are indeeduninterpreted and to constrain their interpretations, we introduce the command

(declare-axiom 〈term〉 )that defines the axiom encoded by the Boolean term term and extends the kernel theory. Weassume term to be a sentence of the background theory of the transition system, i.e. it contains

70


no state variables.

Example 2. Consider the theory TB in Example 1. It can be seen as an extension of thetheory Core with the sort symbols Ind and Loc, the weak leq and strict le predicate symbolsfor the linear order, and four axioms to constrain their interpretation:(set-theory Core)

(declare-sort Ind) (declare-fun leq (Ind Ind) Bool) (declare-fun le (Ind Ind) Bool)

(declare-axiom (forall ((?x Ind)) (leq ?x ?x)))

(declare-axiom (forall ((?x Ind) (?y Ind)) (=> (and (leq ?x ?y) (leq ?y ?x))

(= ?x ?y))))

(declare-axiom (forall ((?x Ind) (?y Ind) (?z Ind)) (=> (and (leq ?x ?y) (leq ?y ?z))

(leq ?x ?z))))

(declare-axiom (forall ((?x Ind) (?y Ind)) (or (leq ?x ?y) (leq ?y ?x))))

(declare-axiom (forall ((?x Ind) (?y Ind)) (= (le ?x ?z)

(and (leq ?x ?y) (not (= ?x ?y))))))

(declare-sort Loc)

(declare-fun i () Loc) (declare-fun w () Loc) (declare-fun c () Loc)

(declare-axiom (and (not (= i w)) (not (= i c)) (not (= w c))))

(declare-axiom (forall ((?x Loc)) (or (= ?x i) (= ?x w) (= ?x c))))

The first three axioms express the fact that leq is a linear order and the fourth axiom definesits strict version le. The last two axioms above constrain the interpretation of Loc to be a setcontaining exactly the interpretation of the constants i, w, and c.

Since constraining the interpretation of a sort to be a finite set (as it is the case of Loc inthe example above) is quite common, we introduce the command

(define-subrange 〈symbol〉 (〈numeral1〉〈numeral2〉 ))that introduces the sort symbol and the numerals in the interval [numeral1 . . . numeral2]as constants of that sort that are to be interpreted as distinct elements. For instance, wecan replace the declarations of the sort Loc, the constants i, w, c, and the two axioms in theexample above with (define-subrange Loc (1 3)) and assume that the constant i is mappedto the numeral 1, w to 2, and c to 3. In other words, the command define-subrange definesan enumerated datatype over a certain sort whose constants are identified as the numeralsin a contiguous sub-set of the naturals. An alternative would be a command to define anenumerated datatype by listing all its elements. In case of large sets of elements, the drawbackis that explicit enumerations can be rather tedious. Instead, the corresponding definition bythe define-subrange command is very compact.

Remark 2. The possibility of defining theories by using finitely many axioms was available inSMT-LIB v.1.2 [18] but is no more so in SMT-LIB v.2 [4]. This is justified by the observationthat many theories in the standard require infinitely many axioms [4]. In our experience withthe model checker mcmt [13] and its successor Safari [1], the flexibility of defining theoriesby finitely many axioms is crucial to identify classes of the reachability problem that guaranteethe decidability of the satisfiability problems encoding safety and fix-point tests or the termi-nation of the reachability procedure. Our experience was driven by the theoretical frameworkdeveloped in [12] that allowed us to identify sufficient conditions for the mechanization andtermination of a class of SMT-based transition systems, called array-based systems. A keyingredient of such conditions is a class of background theories that are (i) expressive enough toencode practically interesting transition systems and (ii) “simple” enough to guarantee boththe decidability of the safety and fix-point tests and sometimes also the termination of (back-ward) reachability. Roughly, the axioms needed for such “simple” background theories require

71


just a finite set of predicate symbols and a finite set of universal sentences (i.e. sentences ofthe form ∀x.ϕ(x) for x a finite tuple of variables of appropriate sort and ϕ a quantifier-freeformula). The theory TB in Example 1 (see also the box in Example 2) is an instance of a“simple” theory in this sense.

From a practical point of view, an obvious question arises: can available SMT solvers copewith such a flexible way of defining theories? The answer is offered by the proposal of severalquantifier instantiation procedures (see, e.g., [10] and the references therein) that are quitesuccessful in checking the satisfiability of formulae containing quantifiers. An ad hoc techniquecombining quantifier instantiation and quantifier-free reasoning has been proposed together withsome heuristics [11] to discharge the proof obligations arising in the backward reachability ofarray-based systems. An alternative to quantifier instantiation procedures would be to encodethe additional symbols in complex theories for which satisfiability procedures are available. Forinstance, the standard less-than relation in the theory Ints of the standard SMT-LIB v.2 (seepage 31 of [18]) can be taken as the linear order < of Example 1; many state-of-the-art SMTsolvers provide support for the fragment of Ints containing the less-than relation.

To summarize, a careful use of the command declare-axiom can have two advantages. First,it is possible to precisely define background theories that allow for proving important propertiesof classes of reachability problems. Second, reasoning modulo such background theories can beefficiently supported by available SMT solvers when the declared axioms allow the maximalreuse of available procedures, possibly leveraging recent advances in quantifier instantiationprocedures.

The SMT-based transition system. Once the background theory T has been declared, we needto specify the SMT-based transition system S = (v, I(v), τ(v,v′)). The command

(declare-state-var 〈symbol〉 ( 〈sort〉∗ ) 〈sort〉 )declares the state variable symbol together with its arity. This is similar to the behav-ior of the command declare-fun in the SMT-LIB v.2 standard with a key difference:declare-state-var also declares a composed symbol

(primed 〈symbol〉)with the same arity of symbol. This is the crucial syntactic extension to the SMT-LIB v.2standard, required to create a relationship between the state variable symbol in v and its copysymbol′ in v′. The former identifies the value of the state variable immediately before theexecution of a transition whereas the latter the value immediately after.

The command(declare-initial 〈term〉 )

defines the state formula encoded by the Boolean term term characterizing the set of initialstates, and the command

(declare-transition 〈term〉 )defines one disjunct of the transition formula encoded by the Boolean term term. For thecommand declare-initial, the term term may contain symbols of the background theoryand the state variables; for the command declare-transition, the term may also contain theprimed version of the state variables.

Example 3. Let us consider the SMT-based transition system in Example 1. The state variablea in the example of Section 1 can be declared as

(declare-state-var a (Ind) Loc).

72


As a consequence of the execution of this command, not only the function symbol a of arity(Ind) Loc will be available but also the (atomic) symbol (primed a) with the same arity.

The state formula IB in Example 1 can be declared as

(declare-initial (forall ((?z Ind)) (= (a ?z) i)))

and

(declare-transition (exists ((?z Ind)) (and (= (a ?z) c)

(forall ((?w Ind)) (= ((primed a) ?w) (ite (= ?w ?z) i (a ?w))))))) .

is the disjunct τ3 of the transition formula τB .

In our experience with mcmt and Safari, we have found it useful to describe the behaviorof a transition system not only by transition formulae but also by system constraints, i.e.formulae that must be satisfied in every state of a run of the system. Intuitively, constraintsusually encode invariants of the transition system that are enforced by the environment in whichthe system evolves or by the way in which the state variables are updated. For example, it iswell-known that a Petri net can be specified by a SMT-based transition system over integerstate variables counting the number of tokens in each place; a system constraint is that eachstate variable must be non-negative. For this reason, we introduce the command

(declare-system-constraint 〈term〉 )that adds the constraint encoded by the Boolean term term to the specification of the transitionsystem. We assume term to be a state formulae.The final formula. Now that the transition system S = (v, I(v), τ(v,v′)) has been specified,we are ready to specify the final formula F (v) to complete the specification of a reachabilityproblem (S, F ). The command

(declare-goal 〈term〉 )sets the state formula encoded by the Boolean term term as the final (error or goal) formula.

Example 4. The final formula in Example 1 can be given as

(declare-goal (exists ((?z1 Ind) (?z2 Ind))

(and (not (= ?z1 ?z2)) (= (a ?z1) c) (= (a ?z2) c)))).

When there more than one declare-goal command in a script, the goal formula is obtainedby taking the disjunction of all their arguments.Other commands. The command

(check-reachability)

actually tells the tool to check if the goal formula is reachable or not. The response to thiscommand can be reachable, unreachable, or unknown. The last symbol can be returned whenthe tool has used over-approximation techniques.

When there are more than one declare-goal command, it is left to the tool to decide toconsider each goal separately, all of them together, or some subset. It is known that it is usuallybetter to consider several goals at the same time.

Sometimes, the reachability problem is so complex that it is better to guide the tool to-wards the fact that a certain goal is unreachable by constructing an appropriate sequence(S, F1), ..., (S, Fn−1), (S, Fn) of reachability problems where Fn encodes the complement of thesafety property that S should satisfy while the complement of F1, ..., Fn−1 are invariants of Sthat may hopefully contribute to show that Fn is unreachable. For example, if F1 has beenfound unreachable, then its negation can be used in the fix-point tests when trying to establish

73


the unreachability of F2 by checking the satisfiability of s1(v) ∧ ¬F1(v) ∧ ¬s2(v) rather thansimply s1(v) ∧ ¬s2(v) for s1, s2 state formulae describing the sets of reachable states at twosuccessive iterations of the reachability procedure. Example of this technique can be foundin [2, 6].

Indeed, building the right sequence of reachability problems that allow one to prove a certainsafety problem is a difficult task that may well depend on the heuristics used by a tool to exploitpreviously solved reachability problems. To simplify this kind of interaction, we believe it isuseful to have commands push and pop as in the SMT-LIB v.2 standard that allows one tohandle a stack of reachability problems. In order to keep those goals whose negation willconstitute a useful invariant for the proof of a certain safety property, we provide the command

(save-verified-goals)

that permits to save the goals that have been shown unreachable so as to prevent their deletionby some pop command.

We also envisage other commands for setting the parameters of reachability solver. Thecommand

(set-option 〈reachability option〉 )may set how the search space should be computed (e.g., depth- or breadth-first) or heuristicsfor the synthesis of invariants should be turned on. A value for reachability option can be

:produce-counterexample 〈b value〉that tells the prover to return (or not according to the fact that b value is true or false) asequence of transition formulae that leads the system from a state satisfying the inital formulato one satisfying the final formula. Indeed, every tool may define its own set of reachabilityoptions. The command

(set-smt-option 〈option〉 )may suggest a set the options to the background SMT solver that should be used to dischargethe proof obligations encoding the safety or the fix-point tests where 〈option〉 is inherited fromthe SMT-LIB v.2 standard.

Every reachability problem must end with the command

(exit)

4 Conclusion

We have presented an extension of the SMT-LIB which is suitable for the description of reach-ability problems for a large class of heterogeneous transition systems. The problem of finding acommon standard is in dire need of solutions for many reasons, most importantly the inabilityin performing comparison between competitor systems and the lack of a library for collectingbenchmarks. Further discussions on this problem are surely needed, and we hope the SMTcommunity will benefit from the ideas presented in this paper.

References

[1] Francesco Alberti, Roberto Bruttomesso, Silvio Ghilardi, Silvio Ranise, and Natasha Sharygina.Lazy abstraction with interpolants for arrays. In LPAR, pages 46–61, 2012.

[2] Francesco Alberti, Silvio Ghilardi, Elena Pagani, Silvio Ranise, and Gian Paolo Rossi. Universalguards, relativization of quantifiers, and failure models in model checking modulo theories. JSAT,8(1/2):29–61, 2012.

74


[3] Michael Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino.Boogie: A modular reusable verifier for object-oriented programs. In FMCO, pages 364–387, 2005.

[4] Clark Barrett, Aaron Stump, and Cesare Tinelli. The SMT-LIB Standard: Version 2.0.www.SMT-LIB.org, 2010.

[5] Aaron R. Bradley and Zohar Manna. Checking safety by inductive generalization of counterex-amples to induction. In FMCAD, pages 173–180. IEEE Computer Society, 2007.

[6] Roberto Bruttomesso, Alessandro Carioni, Silvio Ghilardi, and Silvio Ranise. Automated analysisof timing based mutual exclusion algorithms. In NASA FM, 2012.

[7] Giorgio Delzanno. Automatic Verification of Parameterized Cache Coherence Protocols. In CAV,LNCS, 2000.

[8] Herbert B. Enderton. A mathematical introduction to logic. Harcourt/Academic Press, 2001.

[9] Jean-Christophe Filliatre and Claude Marche. The Why/Krakatoa/Caduceus Platform for Deduc-tive Program Verification. In CAV, pages 173–177, 2007.

[10] Yeting Ge and Leonardo de Moura. Complete instantiation for quantified SMT formulas. InConference on Computer Aided Verification (CAV), 2009.

[11] Silvio Ghilardi and Silvio Ranise. Model Checking Modulo Theory at work: the integration ofYices in MCMT. In AFM, 2009.

[12] Silvio Ghilardi and Silvio Ranise. Backward Reachability of Array-based Systems by SMT solving:Termination and Invariant Synthesis. LMCS, 6(4), 2010.

[13] Silvio Ghilardi and Silvio Ranise. MCMT: A Model Checker Modulo Theories. In IJCAR, pages22–29, 2010.

[14] Sumit Gulwani and Madan Musuvathi. Cover Algorithms and their Combination. In ESOP,LNCS, 2008.

[15] Holger H. Hoos and Thomas Stutzle. SATLIB: An Online Resource for Research on SAT. In I. P.Gent, H. v. Maaren, and T. Walsh, editors, SAT, pages 283–292. IOS Press, 2000.

[16] Tim King and Clark Barrett. Exploring and Categorizing Error Spaces using BMC and SMT. InProc. of the 9th Int. Workshop on Satisfiability Modulo Theories (SMT), 2011.

[17] Akash Lal, Shaz Qadeer, and Shuvendu K. Lahiri. Corral: A Solver for Reachability ModuloTheories. In Proc. of Computer-Aided Verification (CAV), 2012.

[18] Silvio Ranise and Cesare Tinelli. The Satisfiability Modulo Theories Library (SMT-LIB).www.SMT-LIB.org, 2006.

[19] Tatiana Rybina and Andrei Voronkov. A logical reconstruction of reachability. In Ershov MemorialConf., volume 2890 of LNCS, pages 222–237. Springer, 2003.

[20] Geoff Sutcliffe. The TPTP Problem Library and Associated Infrastructure: The FOF and CNFParts, v3.5.0. Journal of Automated Reasoning, 43(4):337–362, 2009.

75

http://www.smt-lib.org

http://www.smt-lib.org

An SMT-LIB Format for Sequences and Regular

Expressions

(Extended Abstract)


Vijay GaneshMIT

Raphael MichelUniversity of Namur

Margus VeanesMicrosoft Research

Abstract

Strings are ubiquitous in software. Tools for verification and testing of software rely invarious degrees on reasoning about strings. Web applications are particularly important inthis context since they tend to be string-heavy and have large number security errors at-tributable to improper string sanitzation and manipulations. In recent years, many stringsolvers have been implemented to address the analysis needs of verification, testing andsecurity tools aimed at string-heavy applications. These solvers support a basic representa-tion of strings, functions such as concatenation, extraction, and predicates such as equalityand membership in regular expressions. However, the syntax and semantics supportedby the current crop of string solvers are mutually incompatible. Hence, there is an acuteneed for a standardized theory of strings (i.e., SMT-LIBization of a theory of strings) thatsupports a core set of functions, predicates and string representations.

This paper presents a proposal for exactly such a standardization effort, i.e., an SMT-LIBization of strings and regular expressions. It introduces a theory of sequences general-izing strings, and builds a theory of regular expressions on top of sequences. The proposedlogic QF BVRE is designed to capture a common substrate among existing tools for stringconstraint solving.

1 Introduction

This paper is a design proposal for an SMT-LIB format for a theory of strings and regularexpressions. The aim is to develop a set of core operations capturing the needs of verification,analysis, security and testing applications that use string constraints. The standardized theoryshould be rich enough to support a variety of existing and as-yet-unknown new applications.More complex functions/predicates should be easily definable in it. On the other hand, thetheory should be as minimal as possible in order for the corresponding solvers to be relativelyeasy to write and maintain.

Strings can be viewed as monoids (sequences) where the main operations are creating theempty string, the singleton string and concatentation of strings. Unification algorithms forstrings have been subject to extensive theoretical advances over several decades. Modern pro-gramming environments support libraries that contain a large set of string operations. Ap-plications arising from programming analysis tools use the additional vocabulary available inlibraries. A realistic interchange format should therefore support operations that are encoun-tered in applications.

The current crop of string solvers [9, 12, 3] have incompatible syntax and semantics. Hence,the objective of creating an SMT-LIB format for string and regular expression constraints is toidentify a uniform format that can be targeted by applications and consumed by solvers.

The paper is organized as follows. Section 2 introduces the theory Seq of sequences. Thetheory RegEx of regular expressions in Section 3 is based on Seq. The theories admit sequencesand regular expressions over any type of finite alphabet. The characters in the alphabet are


SMT-LIB Sequences and Regular Expressions N. Bjørner, V. Ganesh, R. Michel, M. Veanes

defined over the theory of bit-vectors (Section 4). Section 5 surveys the state of string-solvingtools. Section 6 describes benchmark sets made available for QF BVRE and a prototype. Weprovide a summary in Section 7.

2 Seq: A Theory of Sequences

In the following, we develop Seq as a theory of sequences. It has a sort constructor Seq thattakes the sort of the alphabet as argument.

2.1 The Signature of Seq

(par (A) (seq-unit (A) (Seq A))) ; String consisting of a single character

(par (A) (seq-empty (Seq A))) ; The empty string

(par (A) (seq-concat ((Seq A) (Seq A)) (Seq A))) ; String concatentation

(par (A) (seq-cons (A (Seq A)) (Seq A))) ; pre-pend a character to a seq

(par (A) (seq-rev-cons ((Seq A) A) (Seq A))) ; post-pend a characeter

(par (A) (seq-head ((Seq A)) A)) ; retrieve first character

(par (A) (seq-tail ((Seq A)) (Seq A))) ; retrieve tail of seq

(par (A) (seq-last ((Seq A)) A)) ; retrieve last character

(par (A) (seq-first ((Seq A)) (Seq A))) ; retrieve all but the last char

(par (A) (seq-prefix-of ((Seq A) (Seq A)) Bool)) ; test for seq prefix

(par (A) (seq-suffix-of ((Seq A) (Seq A)) Bool)) ; test for postfix

(par (A) (seq-subseq-of ((Seq A) (Seq A)) Bool)) ; sub-sequence test

(par (A) (seq-extract ((Seq A) Num Num) (Seq A))) ; extract sub-sequence

parametric in Num

(par (A) (seq-nth ((Seq A) Num) A)) ; extract n’th character

parametric in Num

(par (A) (seq-length ((Seq A)) Int) ; retrieve length of sequence

The sort Num can be either an integer or a bit-vector. The logic QF BVRE instantiates thesort Num to bit-vectors, and not to an integer.

2.2 Semantics Seq

The constant seq-empty and function seq-concat satisfy the axioms for monoids. That is,seq-empty is an identity of seq-concat and seq-concat is associative.

(seq-concat seq-empty x) = (seq-concat x seq-empty) = x

(seq-concat x (seq-concat y z)) = (seq-concat (seq-concat x y) z)

Furthermore, Seq is the theory all of whose models are an expansion to the free monoidgenerated by seq-unit and seq-empty.

77


2.2.1 Derived operations

All other functions (except extraction and lengths) are derived. They satisfy the axioms:

(seq-cons x y) = (seq-concat (seq-unit x) y)

(seq-rev-cons y x) = (seq-concat y (seq-unit x))

(seq-head (seq-cons x y)) = x

(seq-tail (seq-cons x y)) = y

(seq-last (seq-rev-cons x y)) = y

(seq-first (seq-rev-cons x y)) = x

(seq-prefix-of x y) ⇔ ∃z . (seq-concat x z) = y

(seq-suffix-of x y) ⇔ ∃z . (seq-concat z x) = y

(seq-subseq-of x y) ⇔ ∃z, u . (seq-concat u x z) = y

Observe that the value of (seq-head seq-empty) is undetermined. Similarly for seq-tail,seq-first and seq-last. Their meaning is under-specified. Thus, the theory Seq admits all

interpretations that satisfy the free monoid properties and the axioms above.

2.2.2 Extraction and lengths

It remains to provide semantics for sequence extraction and length functions. We will heredescribe these informally.

(seq-length s) The length of sequence s. Seq satisfies the monoid axioms and is freelygenerated by unit and concatenation. So every sequence is a finite concatenation of units(i.e., characters in the alphabet). The length of a sequence is the number of units in theconcatenation.

(seq-extract seq lo hi) produces the sub-sequence of characters between lo and hi-1. Ifthe length of seq is less than lo, then the produced subsequence is empty. If the bit-vector hi is smaller than lo the result is, once again, the empty sequence. If the length ofseq is larger than lo, but less than hi, then the result is truncated to the length of seq.In other words, seq-extract satisfies the equation (The length function is abbreviatedas l(s)):

(seq-extract s lo hi) =

seq-empty if l(s) < lo

seq-empty if hi < lo

seq-empty if hi < 0

(seq-extract (seq-tail s) (lo− 1) (hi− 1)) if 0 < lo

(seq-extract (seq-first s) (0) (m)) if 0 < m

m = l(s)− hi+ 1

s otherwise

(seq-nth s n) Extract the n’th character of sequence s. Indexing starts at 0, so for exampleis c (where Num ranges over Int).

78


(seq-nth (seq-cons c s) 0)

3 RegEx: A Theory of Regular Expressions

We summarize a theory of regular expressions over sequences. It includes the usual operationsover regular expressions, but also a few operations that we found useful from applications whenmodeling recognizers of regular expressions. It has a sort constructor RegEx that takes a sortof the alphabet as argument.

3.1 The Signature of RegEx

(par (A) (re-empty-set () (RegEx A))) ; Empty set

(par (A) (re-full-set () (RegEx A))) ; Univeral set

(par (A) (re-concat ((RegEx A) (RegEx A)) (RegEx A))) ; Concatenation

(par (A) (re-of-seq ((Seq A)) (RegEx A))) ; Regular expression of sequence

(par (A) (re-empty-seq () (RegEx A))) ; same as (re-of-seq seq-empty)

(par (A) (re-star ((RegEx A)) (RegEx A))) ; Kleene star

(par (A) ((_ re-loop i j) ((RegEx A)) (RegEx A))) ; Bounded star, i,j >= 0

(par (A) (re-plus ((RegEx A)) (RegEx A))) ; Kleene plus

(par (A) (re-option ((RegEx A)) (RegEx A))) ; Option regular expression

(par (A) (re-range (A A) (RegEx A))) ; Character range

(par (A) (re-union ((RegEx A) (RegEx A)) (RegEx A))) ; Union

(par (A) (re-difference ((RegEx A) (RegEx A)) (RegEx A))) ; Difference

(par (A) (re-intersect ((RegEx A) (RegEx A)) (RegEx A))) ; Intersection

(par (A) (re-complement ((RegEx A)) (RegEx A))) ; Complement language

(par (A) (re-of-pred ((Array A Bool)) (RegEx A))) ; Range of predicate

(par (A) (re-member ((Seq A) (RegEx A)) Bool)) ; Membership test

Note the following. The function re-range is defined modulo an ordering over the charactersort. The ordering is bound in the logic. For example, in the QF BVRE logic, the correspondingordering is unsigned bit-vector comparison bvule. While re-range could be defined usingre-of-pred, we include it because it is pervasively used in regular expressions. The functionre-of-pred takes an array as argument. The array encodes a predicate. No other features ofarrays are used, and the intent is that benchmarks that use re-of-pred also include axiomsthat define the values of the arrays on all indices. For example we can constrain p using anaxiom of the form

(assert (forall ((i (_ BitVec 8))) (iff (select p i) (bvule #0A i))))

3.2 Semantics of RegEx

Regular expressions denote sets of sequences. Assuming a denotation [[s]] for sequence expres-sions, we can define a denotation function of regular expressions:

79


[[re-empty-set]] = ∅

[[re-full-set]] = s | s is a sequence

[[(re-concat x y)]] = s · t | s ∈ [[x]], t ∈ [[y]]

[[(re-of-seq s)]] = [[s]]

[[re-empty-seq]] = [[seq-empty]]

[[(re-star x)]] = [[x]]∗ =

ω⋃

i=0

[[x]]i

[[(re-plus x)]] = [[x]]+ =

ω⋃

i=1

[[x]]i

[[(re-option x)]] = [[x]] ∪ [[seq-empty]]

[[(( re-loop l u) x)]] =

u⋃

i=l

[[x]]i

[[(re-union x y)]] = [[x]] ∪ [[y]]

[[(re-difference x y)]] = [[x]] \ [[y]]

[[(re-intersect x y)]] = [[x]] ∩ [[y]]

[[(re-complement x)]] = [[x]]

[[(re-range a z)]] = [[(seq-unit x)]] | a ≤ x ≤ z

[[re-of-pred p]] = [[(seq-unit x)]] | p[x]

[[(re-member s x)]] = [[s]] ∈ [[x]]

3.3 Anchors

Most regular expression libraries include anchors. They are usually identified using regularexpression constants ^ (match the beginning of the string) and $ (match the end of a string).We were originally inclined to include operators corresponding these constants. In the end,we opted to not include anchors as part of the core. The reasons were that it is relativelystraightforward to convert regular expressions with anchor semantics into regular expressionswithout anchor semantics. The conversion increases the size of the regular expression at mostlinearly, but in practice much less. If we were to include anchors, the semantics of regularexpression containment would also have to take anchors into account. The denotation of regularexpressions would then be context dependent and not as straightforward.

We embed regular expressions with anchor semantics into regular expressions with “regular”semantics using the funnction complete. It takes three regular expressions as arguments, andit is used to convert the regular expression e with anchors by calling it with the argumentscomplete(e,⊤,⊤). Note that the symbol ⊤ corresponds to re-full-set, and ǫ corresponds tore-empty-set.

80


complete(string, e1, e2) = e1 · string · e2

complete(x · y,⊤,⊤) = complete(x,⊤, ǫ) complete(y, ǫ,⊤)

complete(x · y,⊤, ǫ) = complete(x,⊤, ǫ) y

complete(x · y, ǫ,⊤) = x complete(y, ǫ,⊤)

complete($, e1, e2) = ǫ

complete(^, e1, e2) = ǫ

complete(x+ y, e1, e2) = complete(x, e1, e2) + complete(y, e1, e2)

We will not define complete for Kleene star, complement or difference. Such regular expres-sions are normally considered malformed and are rejected by regular expression tools.

4 The logic QF BVRE

The logic QF BVRE uses the theory of sequences and regular expressions. It includes the SMT-LIB theory of bit-vectors as well. Formulas are subject to the following constraints:

• Sequences and regular expressions are instantiated to bit-vectors.

• The sort Num used for extraction and indexing is a bit-vector.

• re-range assumes the comparison predicate bvule.

• Length functions can only occur in comparisons with other lengths or numerals obtainedfrom bit-vectors. So while the range of seq-length is Int, it is only used in relativecomparisons or in comparisons with a number over a bounded range. In other words, weadmit the following comparisons (where n is an integer constant):

(<, <=, =, >=, > (seq-length x) (seq-length y))

(<, <=, =, >=, > (seq-length x) n)

To maintain decidability, we also require that whenever a benchmark contains (seq-length x)

it also contains an assertion of the form (assert (<= (seq-length x) n)).

• The sequence operations seq-prefix-of, seq-suffix-of and seq-subseq-of are ex-cluded.

5 String solvers

String analysis has recently received increased attention, with several automata-based analysistools. Besides differences in notation, which the current proposal addresses, the tools alsodiffer in expressiveness and succinctness of representation for various fragments of (extended)regular expressions. The tools also use different representations and algorithms for dealingwith the underlying automata theoretic operations. A comparison of the basic tradeoffs between

81


automata representations and the algorithms for product and difference is studied in [11], wherethe benchmarks originate from a case study in [19].

The Java String Analyzer (JSA) [7] uses finite automata internally to represent strings withthe dk.brics.automaton library, where automata are directed graphs whose edges representcontiguous character ranges. Epsilon moves are not preserved in the automata but are elimi-nated upon insertion. This representation is optimized for matching strings rather than finding

strings.The Hampi tool [16] uses an eager bitvector encoding from regular expressions to bitvector

logic. The Kudzu/Kaluza framework extends this approach to systems of constraints withmultiple variables and supports concatenation [22]. The original Hampi format does not directlysupport regular expression quantifiers “at least m times” and “at most n times”, e.g., a regexa1,3 would need to be expanded to a|aa|aaa. The same limitation is true for the coreconstraint language of Kudzu [22] that extends Hampi.

The tool presented in [14] uses lazy search algorithms for solving regular subset constraints,intersection and determinization. The automaton representation is based on the Boost GraphLibrary [23] and uses a range representation of character intervals that is similar to JSA.The lazy algorithms produce significant performance benefits relative to DPRLE [13] and theoriginal Rex [27] implementation. DPRLE [13] has a fully verified core specification written inGallina [8], and an OCaml implementation that is used for experiments.

Rex [27] uses a symbolic representation of automata where labels are represented by predi-cates. Such automata were initially studied in the context of natural language processing [21].Rex uses symbolic language acceptors, that are first-order encodings of symbolic automata intothe theory of algebraic datatypes. The initial Rex work [27] explores various optimizations ofsymbolic automata, such as minimization, that make use of the underlying SMT solver to elim-inate inconsistent conditions. Subsequent work [26] explores trade-offs between the languageacceptor based encoding and the use of automata-specific algorithms for language intersec-tion and language difference. The Symbolic Automata library [25] implements the algebra ofsymbolic automata and transducers [24]. Symbolic Automata is the backbone of Rex and Bek.1

Kleene Boole re-range re-of-pred re-loop seq-concat seq-length ΣJSA X X X BV16

Hampi X X BV8Kudzu/Kaluza X X X X BV8

Symbolic Automata/Rex X X X X X ALL

Table 1: Expressivity of string tools.

Table 1 compares expressivity of the tools with an emphasis on regular expression con-straints. Columns represent supported features. Kleene stands for the operations re-empty-set,re-empty-seq, re-concat, re-union, and re-star. Boole stands for re-intersect andre-complement. Σ refers to supported alphabet theories. In Hampi and Kudzu the Booleanoperations over languages can be encoded through membership constraints and Boolean oper-ations over formulas. In the Symbolic Automata Toolkit, automata are generic and support allSMT theories as alphabets.

A typical use of re-range is to succinctly describe a contiguous range of characters, such asall upper case letters or [A-Z]. Similarly, re-of-pred can be used to define a character class

such as \W (all non-word-letter characters) through a predicate (represented as an array). For

1http://research.microsoft.com/bek/

82


example, provided that W is defined as follows

∀x(W [x] ⇔ ¬((‘A’ ≤ x ≤ ‘Z’) ∨ (‘a’ ≤ x ≤ ‘z’) ∨ (‘0’ ≤ x ≤ ‘9’) ∨ x = ‘_’))

then (re-of-pred W) is the regex that matches all non-word-letter characters. Finally,re-loop is a succinct shorthand for bounded loops that is used very frequently in regularexpressions.

MONA [10, 17] provides decision procedures for several varieties of monadic second–orderlogic (M2L) that can be used to express regular expressions over words as well as trees. MONArelies on a highly-optimized multi-terminal BDD-based representation for deterministic au-tomata. Mona is used in the PHP string analysis tool Stranger [29] through a string manipu-lation library.

Other tools include custom domain-specific string solvers [20, 28]. There is also a widerange of application domains that rely on automata based methods: strings constraints withlength bounds [30]; automata for arithmetic constraints [6]; automata in explicit state modelchecking [5]; word equations [1, 18]; construction of automata from regular expressions [15].Moreover, certain string constraints based on common string library functions [4] (not usingregular expressions) can be directly encoded using a combination of existing theories providedby an SMT solver.

6 A prototype for QF BVRE based on the Symbolic Au-tomata Toolkit

This section describes a prototype implementation for QF BVRE. It is based on the SymbolicAutomata Toolkit [25] powered by Z3. The description sidesteps the current limitation that allterms s of sort (Seq σ) are converted to terms of sort (List σ). While lists in Z3 satisfy allthe algebraic properties of sequences, only the operations equivalent to seq-empty, seq-cons,seq-head, and seq-tail are (directly) supported in the theory of lists. This also explains whyseq-concat and seq-length (as is also noted in Table 1) are currently not supported in thisprototype.

To start with, the benchmark file is parsed by using Z3’s API method ParseSmtlib2File

providing a Z3 Term object ϕ that represents the AST of the assertion contained in the file.The assertion ϕ is converted into a formula Conv (ϕ) where each occurrence of a membershipconstraint (re-member s r) has been replaced by an atom (Accr s), where Accr is a newuninterpreted function symbol called the symbolic languge acceptor for r. The symbol Accr isassociated with a set of axioms Th(r) such that, (Accr s) holds modulo Th(r) iff s is a sequencethat matches the regular expression r. The converted formula Conv (ϕ) as well as all the axiomsTh(r) are asserted to Z3 and checked for satisfiability.

The core of the translation is in converting r into a Symbolic Finite Automaton SFA(r) andthen defining Th(r) as the theory of SFA(r) [26]. The translation uses closure properties ofsymbolic automata under the following (effective) Kleene and Boolean operations:

• If A and B are SFAs then there is an SFA A ·B such that L(A ·B) = L(A) · L(B).

• If A and B are SFAs then there is an SFA A ∪B such that L(A ∪B) = L(A) ∪ L(B).

• If A and B are SFAs then there is an SFA A ∩B such that L(A ∩B) = L(A) ∩ L(B).

• If A is an SFAs then there is an SFA A∗ such that L(A∗) = L(A)∗.

83


• If A is an SFAs then there is an SFA A such that L(A) = L(A).

The effectiveness of the above operations does not depend on the theory of the alphabet. InSFAs all transitions are labeled by predicates. In particular, a bit-vector range (re-range m n)is mapped into an anonymous predicate λx.(m ≤ x ≤ n) over bit-vectors and a predicate(re-of-pred p) is just mapped to p. The overall translation SFA(r) now follows more-or-lessdirectly by induction of the structure of r. The loop construct (re-loop m n r) is unfoldedby using re-concat and re-union. Several optimizatons are possible that have been omittedhere.

As a simple example of the above translation, consider the regex

utf16 = ^([\0-\uD7FF\uE000-\uFFFF]|([\uD800-\uDBFF][\uDC00-\uDFFF]))*$

that describes valid UTF16 encoded strings. Using the SMT2 format and assuming thedefined sort as (_ BitVec 16) the regex is

(re-star (re-union (re-union (re-range #x0000 #xD7FF) (re-range #xE000 #xFFFF))

(re-concat (re-range #xD800 #xDBFF) (re-range #xDC00 #xDFFF))))

The resulting SFA(utf16) can be depicted as follows:

q0 q0 q1

λx.#xD800 ≤ x ≤ #xDBFF

λx.#xDC00 ≤ x ≤ #xDFFF

λx.(x ≤ #xD7FF∨ #xE000 ≤ x)

and the theory Th(utf16) contains the following axioms:

∀y(Accutf16(y) ⇔ (y = ǫ ∨ (y 6= ǫ ∧ (head (y) ≤ #xD7FF∨ #xE000 ≤ head(y)) ∧ Accutf16(tail(y)))∨(y 6= ǫ ∧ #xD800 ≤ head(y) ≤ #xDBFF∧Acc1(tail (y)))))

∀y(Acc1(y) ⇔ (y 6= ǫ ∧ #xDC00 ≤ head(y) ≤ #xDFFF∧Accutf16(tail (y))))

Benchmarks in the proposed SMT-LIB format that are handled by the tool are available2.

7 Summary

We proposed an interchange format for sequences and regular expressions. It is based on thefeatures of strings and regular expressions used in current main solvers for regular expressions.There are many possible improvements and extensions to this proposed format. For example,it is tempting to leverage that SMT-LIB already allows string literals. The first objective isto identify a logic that allows to exchange meaningful benchmarks between solvers and en-able comparing techniques that are currently being developed for solving sequence and regularexpression constraints.

7.1 Contributors

Several people contributed to discussions about SMTization of strings, including Nikolaj Bjørner,Vijay Ganesh, Tim Hinrichs, Pieter Hooimeijer, Raphael Michel, Ruzica Piskac, Cesare Tinelli,Margus Veanes, Andrei Voronkov and Ting Zhang. This effort grew out from discussions atDagstuhl seminar [2] and was followed up at [email protected].

2 http://research.microsoft.com/~nbjorner/microsoft.automata.smtbenchmarks.zip

84

[email protected]

http://research.microsoft.com/~nbjorner/microsoft.automata.smtbenchmarks.zip


References

[1] Sebastian Bala. Regular language matching and other decidable cases of the satisfiability problemfor constraints between regular open terms. In STACS, pages 596–607, 2004.

[2] Nikolaj Bjørner, Robert Nieuwenhuis, Helmut Veith, and Andrei Voronkov. Decision Proceduresin Soft, Hard and Bio-ware - Follow Up (Dagstuhl Seminar 11272). Dagstuhl Reports, 1(7):23–35,2011.

[3] Nikolaj Bjørner, Nikolai Tillmann, and Andrei Voronkov. Path feasibility analysis for string-manipulating programs. In TACAS, 2009.

[4] Nikolaj Bjørner, Nikolai Tillmann, and Andrei Voronkov. Path feasibility analysis for string-manipulating programs. In TACAS, 2009.

[5] Stefan Blom and Simona Orzan. Distributed state space minimization. J. Software Tools forTechnology Transfer, 7(3):280–291, 2005.

[6] Bernard Boigelot and Pierre Wolper. Representing arithmetic constraints with finite automata: Anoverview. In ICLP 2002: Proceedings of The 18th International Conference on Logic Programming,pages 1–19, 2002.

[7] Aske Simon Christensen, Anders Møller, and Michael I. Schwartzbach. Precise Analysis of StringExpressions. In SAS, 2003.

[8] Thierry Coquand and Gerard P. Huet. The calculus of constructions. Information and Computa-tion, 76(2/3):95–120, 1988.

[9] Vijay Ganesh, Adam Kiezun, Shay Artzi, Philip J. Guo, Pieter Hooimeijer, and Michael D. Ernst.Hampi: A string solver for testing, analysis and vulnerability detection. In Ganesh Gopalakrishnanand Shaz Qadeer, editors, CAV, volume 6806 of Lecture Notes in Computer Science, pages 1–19.Springer, 2011.

[10] J.G. Henriksen, J. Jensen, M. Jørgensen, N. Klarlund, B. Paige, T. Rauhe, and A. Sandholm.Mona: Monadic second-order logic in practice. In TACAS’95, volume 1019 of LNCS, 1995.

[11] Pieter Hooimeijer and Margus Veanes. An evaluation of automata algorithms for string analysis.In VMCAI’11, volume 6538 of LNCS, pages 248–262. Springer, 2011.

[12] Pieter Hooimeijer and Westley Weimer. A decision procedure for subset constraints over regularlanguages. In PLDI, 2009.

[13] Pieter Hooimeijer and Westley Weimer. A decision procedure for subset constraints over regularlanguages. In PLDI, 2009.

[14] Pieter Hooimeijer and Westley Weimer. Solving string constraints lazily. In ASE, 2010.

[15] Lucian Ilie and Sheng Yu. Follow automata. Information and Computation, 186(1):140–162, 2003.

[16] Adam Kiezun, Vijay Ganesh, Philip J. Guo, Pieter Hooimeijer, and Michael D. Ernst. HAMPI: asolver for string constraints. In ISSTA, 2009.

[17] Nils Klarlund, Anders Møller, and Michael I. Schwartzbach. MONA implementation secrets.International Journal of Foundations of Computer Science, 13(4):571–586, 2002.

[18] Michal Kunc. What do we know about language equations? In Developments in Language Theory,pages 23–27, 2007.

[19] Nuo Li, Tao Xie, Nikolai Tillmann, Peli de Halleux, and Wolfram Schulte. Reggae: Automatedtest generation for programs using complex regular expressions. In ASE’09, 2009.

[20] Yasuhiko Minamide. Static approximation of dynamically generated web pages. In WWW ’05,pages 432–441, 2005.

[21] Gertjan Van Noord and Dale Gerdemann. Finite state transducers with predicates and identities.Grammars, 4:263–286, 2001.

[22] Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song.A Symbolic Execution Framework for JavaScript, Mar 2010.

[23] Jeremy G. Siek, Lie-Quan Lee, and Andrew Lumsdaine. The Boost Graph Library: User Guide

85


and Reference Manual (C++ In-Depth Series). Addison-Wesley Professional, December 2001.

[24] M. Veanes, P. Hooimeijer, B. Livshits, D. Molnar, and N. Bjørner. Symbolic finite state transduc-ers: Algorithms and applications. In POPL’12, 2012.

[25] Margus Veanes and Nikolaj Bjørner. Symbolic automata: The toolkit. In C. Flanagan andB. Konig, editors, TACAS’12, volume 7214 of LNCS, pages 472–477. Springer, 2012.

[26] Margus Veanes, Nikolaj Bjørner, and Leonardo de Moura. Symbolic automata constraint solving.In C. Fermuller and A. Voronkov, editors, LPAR-17, volume 6397 of LNCS/ARCoSS, pages 640–654. Springer, 2010.

[27] Margus Veanes, Peli de Halleux, and Nikolai Tillmann. Rex: Symbolic Regular Expression Ex-plorer. In ICST’10. IEEE, 2010.

[28] Gary Wassermann and Zhendong Su. Sound and precise analysis of web applications for injectionvulnerabilities. In PLDI, 2007.

[29] Fang Yu, Muath Alkhalaf, and Tevfik Bultan. Stranger: An automata-based string analysis toolfor PHP. In TACAS’10, LNCS. Springer, 2010.

[30] Fang Yu, Tevfik Bultan, and Oscar H. Ibarra. Symbolic String Verification: Combining StringAnalysis and Size Analysis. In TACAS, pages 322–336, 2009.

86

Exotic Semiring Constraints

(Extended Abstract)

Michael Codish∗ Yoav Fekete∗ Carsten Fuhs† Jurgen Giesl‡

Johannes Waldmann§

Abstract

Exotic semiring constraints arise in a variety of applications and in particular in thecontext of automated termination analysis. We propose two techniques to solve such con-straints: (a) to model them using Boolean functions and integer linear arithmetic and solvethem using an SMT solver (QF LIA, in certain cases also QF IDL); and (b) to seek finitedomain solutions by applying unary bit-blasting and solve them using a SAT solver. Inthis note, we show the structure of such systems of constraints, and report on the perfor-mance of SMT solvers and SAT encodings when solving them. In particular, we observethat good results are obtained by unary bit-blasting, improving on previous proposals toapply binary bit-blasting. Moreover, our results indicate that, for our benchmarks, unarybit-blasting leads to better results than the ones directly obtained by an SMT solver.

1 Introduction

Exotic semirings [DK09] are idempotent semirings where the elements are certain subsets ofnumbers (possibly including −∞ and/or +∞) and where the sum and product operations aremin, max, or +. For example, in the tropical semiring the elements are N ∪ +∞ and thesum and product operations are min and +, respectively. In the arctic semiring the elementsare N ∪ −∞ and the sum and product operations are max and +, respectively. The tropicalsemiring is allegedly named as such to honor Imre Simon, one of its pioneers, who comes fromtropical Brazil. Correspondingly, in [Goo98] the arctic semiring is named as such because arcticlatitudes are located “opposite” to tropical latitudes and “max” is the “opposite” operation to“min”. Exotic semiring constraints are just like Boolean formula except that the atoms areeither propositional variables or inequalities between expressions of an exotic semiring. Forexample, as we will formalize in the sequel, the following is an arctic semiring constraint

(a11 ≥ 0) ∧ (b11 ≥ 0) ∧

∧i ∈ 1, 2j ∈ 1, 2

(cij = (ai1 ⊗ b1j)⊕ (ai2 ⊗ b2j)) ∧(((ai1 ⊗ a1j)⊕ (ai2 ⊗ a2j) > (ci1 ⊗ a1j)⊕ (ci2 ⊗ a2j)) ∨(((ai1 ⊗ a1j)⊕ (ai2 ⊗ a2j) = −∞) ∧ ((ci1 ⊗ a1j)⊕ (ci2 ⊗ a2j) = −∞))) ∧(bij ≥ bi1 ⊗ b1j ⊕ bi2 ⊗ b2j)

(1)where ⊕ and ⊗ correspond to max and sum. All variables are existentially quantified and theconstraint is solved for example if a11 = a12 = b11 = b21 = c11 = c11 = 0, a21 = a22 = c12 = 1,and b12 = b22 = c21 = c22 = −∞.

Exotic semirings and constraints come up in a variety of applications such as formal lan-guages, as described in [Sim88], and optimization problems, idempotent analysis, and disjunc-tive invariants in static analysis as described in [GKS11]. Exotic semirings constraints have

∗Department of Computer Science, Ben-Gurion University of the Negev, Israel†Department of Computer Science, University College London, United Kingdom‡LuFG Informatik 2, RWTH Aachen University, Germany§Fakultat IMN, HTWK Leipzig, Germany


Exotic Semiring Constraints M. Codish, Y. Fekete, C. Fuhs, J. Giesl, J. Waldmann

recently proven to be very useful in the context of termination analysis for string [Wal07] andterm rewriting [KW09, ST10]. To simplify the presentation, we focus in this paper on theapplication to string rewriting, however the techniques carry over to term rewriting as well.

In string rewriting, the state of a computation is represented by a word s over an alphabetΣ. The program underlying the state transitions is a string rewrite system (SRS), i.e., a setR of rewrite rules ` → r where ` and r are words over Σ. A transition then corresponds to arewrite step u`v →R urv for some rule ` → r and words u, v (i.e., we replace the substring `by r).

We say thatR is terminating if no infinite sequence of rewrite steps s0 →R s1 →R s2 →R . . .exists. To prove termination, a classic method is to use interpretations, i.e., to map letters ato elements aD of a well-founded carrier (D,>) and then to extend this mapping to wordss = a1 . . . an by multiplication sD = a1D . . . anD. Then R is terminating if all rules areoriented (strictly), namely `D > rD holds for all rules `→ r ∈ R.

For example, termination of the system R =

a b→ b c

, can be shown with an interpre-tation to the well-founded carrier (N, >) where aN = 2 and bN = cN = 1 since 2 · 1 > 1 · 1 (usingthe standard multiplication on N). Such a termination proof could be found automatically byagain fixing the carrier (N, >), but leaving the interpretation for the letters open, i.e., using aninterpretation template. This yields a constraint problem over the well-founded carrier. So weseek an interpretation which orients all of the rules (strictly). For our example we get the con-straint aN · bN > bN · cN over the (positive) natural numbers, for which the above interpretationis indeed a solution.

Recently, termination techniques using interpretations to exotic semirings [Wal07, KW09,ST10], and their extensions to exotic (square) matrices (cf. also [EWZ08]) have been shown tobe very powerful. The extension of multiplication to exotic matrices is analogous to standardmatrix multiplication, where the operations on matrix entries have the semantics induced bythe underlying semiring for the entries. To compare two matrices A and B, we extend >component-wise. With these techniques, we are typically given two sets of rewrite rules, R andS, and required to find an interpretation which orients all rules in R ∪ S weakly, and at leastone rule in R strictly. We will formalize this in the sequel.

To solve the resulting template constraints over exotic matrices, [Wal07, KW09] suggest tomodel the operations at the binary level and to apply binary bit-blasting. Binary bit-blastingof arithmetic is convenient because of its compactness. However, size is not the only metricto regard for SAT encodings. Instead, in other applications [TTKB09, MCLS11] unary bit-blasting has been shown to result in encodings which often lead to smaller runtimes of the SATsolver. In this paper, we propose a unary encoding based on the, so-called, order encoding (seee.g. [CB94, BB03]) which has proven useful in a variety of applications involving arithmetic withsmall integer values (see e.g. [TTKB09]). We also investigate the application of SMT solvers.We observe that good results are obtained using the unary encoding, typically outperformingbinary bit-blasting as well as SMT solvers.

2 Preliminaries: Exotic Semirings

A semiring consists of a domain D equipped with operations ⊕,⊗ (addition, multiplication)and elements 0D, 1D ∈ D such that (D,⊕, 0D) is a commutative monoid (i.e., ⊕ is associativeand 0D is its neutral element), (D,⊗, 1D) is a monoid, ⊕ distributes over ⊗ from both sides,and 0D is annihilating on both sides of ⊗. The standard example of a semiring is (N,+, ·, 0, 1).We will focus on idempotent semirings, where addition is idempotent: x⊕ x = x.

88


Definition 1. The following idempotent semirings are collectively called exotic:

• A = (−∞ ∪ N,max,+,−∞, 0), the arctic semiring,

• T = (N ∪ +∞,min,+,+∞, 0), the tropical semiring,

• F = (−∞ ∪ N ∪ +∞,min,max,+∞,−∞), the fuzzy semiring,

• P = (−∞ ∪ Z,max,+,−∞, 0), the Z-arctic semiring (also known as arctic below zero)cf. [Kro98] (where arctic is called polar).

We assume, for each of the exotic semirings, D, an order extending the standard order onN (or Z), namely, −∞ < 0 < 1 < . . . < +∞.

We denote the reflexive closure of < by ≤, and we write x <0 y for (x < y)∨ (x = 0D = y),where 0D denotes the zero element of D. For the fuzzy semiring, we also need the followingnotation: x <1 y iff (x <0 y) ∨ (x = 1D = y).

For any (exotic) semiring D, and n ∈ N, the set Mn(D) of n×n-matrices with entries fromD is again a semiring, with addition and multiplication defined in the standard way, using ⊕and ⊗ on the elements. If D is idempotent, then Mn(D) is idempotent. The orders ≤, <0, <1

are extended from D to Mn(D) component-wise.We call an element x ∈ D positive if x ≥ 1D. A matrix A ∈ Mn(D) is called positive,

denoted positive(A), if A1,1 (the top left element) is positive.An exotic semiring constraint is a Boolean formula in which all atoms are either propositional

variables or exotic semiring inequalities. We say that a constraint is satisfiable if there exists anassignment of exotic values to exotic variables such that replacing inequalities by their impliedBoolean values results in a satisfiable Boolean formula.

In the context of automated termination analysis we typically need to solve exotic termina-tion constraints where given two sets of rewrite rules, R and S, we need to find an interpretationto orient all rules `→ r in R∪S such that ` ≥ r (resp. >1, for the fuzzy semiring) and at leastone rule ` → r in R such that ` >0 r. In this setting the matrices are required to be positive.For example, assuming the arctic semiring, if R =

a2 → a b a

and S =

b→ b2

with

aD = A and bD = B the constraint system for the unknown matrices A,B that make up theinterpretation is positive(A) ∧ positive(B) ∧ (A2 >0 ABA) ∧ (B ≥ B2). To seek a solution ofdimension 2, we obtain the exotic semiring constraint from Eq. 1, where the auxiliary variablescij indicate the contents of matrix C = AB and the solution is given by

A =

(0 01 1

), B =

(0 −∞0 −∞

).

3 From Exotic to LIA/IDL constraints

In this section we show that exotic constraints can be faithfully translated into logic over the-ories that are standardized within SMT-LIB. In particular, arctic and tropical constraints canbe encoded into QF LIA, and fuzzy numbers constraints can be encoded into QF IDL. Withthis new formalization we generalize the binary SAT encoding for arctic constraints proposedin [KW09]. As an application, we consider a selection of termination problems from the Inter-national Termination Competition1 where for each instance we select an exotic semiring and a

1http://www.termination-portal.org/wiki/Termination_Competition

89

http://www.termination-portal.org/wiki/Termination_Competition


matrix dimension to generate exotic constraints. We then model these using LIA/IDL to obtaina selection of instances2 that have been submitted to the SMT (2012) competition.

To model exotic domains we represent arctic and tropical numbers as pairs Boolean × N.For an arctic a represented by (m, i), if m is true then a = −∞ and otherwise a = i, and for atropical t represented by (p, i), if p is true then t = +∞ and otherwise t = i. Similarly, a fuzzynumber f is represented as a triplet (m, i, p) where m is true iff f = −∞, p is true iff f = +∞and f = i iff m = p = false. (We denote truth values by true/false or 1/0 depending on thecontext.)

To encode the “maximum” operation for k arctic elements we have (m, i) =⊕

k(mk, ik) iff

(m =∧k

mk) ∧ (¬m→∧k

(¬mk → i ≥ ik)) ∧ (¬m→∨k

(¬mk ∧ i = ik)).

Namely, the maximum of k arctic numbers is −∞ if all k numbers are, else it is greater thanor equal to each finite number, and equal to one finite number. To encode arctic semiringmultiplication we have (m, i) =

⊗k(mk, ik) iff

(m =∨k

mk) ∧ (¬m→ (i =∑k

ik)).

As the formulas show, the target of the translation is the theory of integers with addition, asdefined in QF LIA. This encoding can also be used for the Z-arctic semiring (Z-arctic numbersare modeled as pairs Boolean× Z). Symmetric formulae as for the arctic semiring hold for thetropical semiring operations and are not detailed here. The fuzzy semiring has the minimumand maximum operations. This implies that we do not need addition, so the constraints can beformulated as difference constraints. In fact, we are working within the “theory of linear order”(a subset of QF IDL, where full QF IDL would also allow addition of constants).

4 Exotic Order Encoding

The order encoding (see e.g. [CB94, BB03]) is a unary representation for natural numbers. Inthis representation the bit vector x = 〈x1, . . . , xk〉 constitutes a monotonic decreasing sequenceand represents values between 0 and k. For example, the value 3 in 5 bits is represented as〈1, 1, 1, 0, 0〉. The bit xi (for 1 ≤ i ≤ k) is interpreted as the statement x ≥ i.

An important property of a Boolean representation for finite domain integers is the abil-ity to represent changes in the set of values a variable can take. It is well-known that theorder encoding facilitates the propagation of bounds. Consider an order encoding variablex = 〈x1, . . . , xk〉 with values in the interval [0, k]. To restrict x to take values in the range [a, b](for 1 ≤ a ≤ b ≤ k), it is sufficient to assign xa = 1 and xb+1 = 0 (if b < k). The variablesxa′ for 1 ≤ a′ < a and b < b′ ≤ k are then determined true and false, respectively, by unitpropagation. For example, given x = 〈x1, . . . , x9〉, assigning x3 = 1 and x6 = 0 propagates togive x = 〈1, 1, 1, x4, x5, 0, 0, 0, 0〉, signifying that x can take values in the interval [3, 5]. Thisproperty is exploited in Sugar [TTKB09] which also applies the order encoding.

In [MCLS11], the authors observe an additional property of the order encoding: its abilityto specify that a variable cannot take a specific value 1 ≤ v ≤ k in its domain by equatingtwo variables: xv = xv+1. This indicates that the order encoding is well-suited not only topropagate lower and upper bounds, but also to represent integer variables with an arbitrary

2http://www.imn.htwk-leipzig.de/~waldmann/draft/2012/smt-benchmarks/real/

90

http://www.imn.htwk-leipzig.de/~waldmann/draft/2012/smt-benchmarks/real/


finite domain. For example, for x = 〈x1, . . . , x9〉, equating x2 = x3 imposes that x 6= 2.Likewise x5 = x6 and x7 = x8 impose that x 6= 5 and x 6= 7. Applying these equalities tox gives, x = 〈x1, x2, x2, x4, x5, x5, x7, x7, x9〉, signifying that x can take values from the set0, 1, 3, 4, 6, 8, 9.

In the remainder of this section we present the standard order encoding for natural numbersand describe how we extend it, first to integers and then to arctic integers. Finally we statethat the order encoding is extended to tropical and fuzzy domains in a similar way.

Encoding Naturals: Let a = 〈a1, . . . , ak〉 denote a tuple of k bits. To encode that a is in theorder encoding we introduce clauses: unaryN(a) =

∧ai+1 → ai

∣∣ 0 < i < k

. We say thata is a k-bit natural number in the order encoding (or “natural” for short). It can take valuesbetween 0 and k. Let a and b be k-bit and k′-bit naturals. Their sum, c = 〈c1, . . . , ck+k′〉 isdefined by the clauses:

sumN(a, b) =∧

(ai → ci) ∧ (¬ai → ¬ck′+i) ∧ (ai ∧ bj → ci+j) ∧(bj → cj) ∧ (¬bj → ¬ck+j) ∧ (¬ai ∧ ¬bj → ¬ci+j−1)

∣∣∣∣ 0 < i ≤ k,0 < j ≤ k′

Let a = 〈a1, . . . , ak〉 be a k-bit natural and k′ > k. Then the following is the corresponding

k′-bit natural obtained by padding with k′ − k zeros: extendN(a, k′) = 〈a1, . . . , ak, 0, . . . , 0〉.Assume that a and b are k-bit naturals (if they are not in the same range then apply

extendN). We define max(a, b) =∧

ci ↔ ai ∨ bj∣∣ 0 < i ≤ k

. The bits 〈c1, . . . , ck〉 are a

k-bit natural representing the maximum. We define (a ≥ b) =∧

bi → ai∣∣ 0 < i ≤ k

and

(a > b) = a1 ∧ ¬bk ∧∧

bi → ai+1

∣∣ 0 < i < k

.

Encoding Integers: We propose a representation for integers in the same spirit as thatfor the naturals. It facilitates an encoding which is almost identical to the order encodingof the naturals. The key design decision is to represent integers in the range (−k,+k) as a2k-bit monotonic decreasing sequence. So, for x = 〈x1, . . . , x2k〉, the bit xi (for 1 ≤ i ≤ 2k)is interpreted as the statement x ≥ −k + i. For example, 〈0, 0〉, 〈1, 0, 0, 0〉, 〈1, 1, 0, 0, 0, 0〉 allrepresent −1 in different bit lengths; 〈1, 0〉, 〈1, 1, 0, 0〉, 〈1, 1, 1, 0, 0, 0〉 all represent 0 in differentbit lengths; and 〈1, 1〉, 〈1, 1, 1, 0〉, 〈1, 1, 1, 1, 0, 0〉 all represent +1 in different bit lengths.

Given this representation, all operations are (almost) the same as for naturals. Let a =〈a1, . . . , a2k〉 denote a tuple of 2k bits. To encode that a is an integer in the order encodingwe introduce clauses: unaryZ(a) = unaryN(a) Let a and b be 2k-bit and 2k′-bit unary orderencoding integers. Their sum, c = 〈c1, . . . , c2(k+k′)〉 is defined exactly the same as for the unarycase by adding the clauses sumZ(a, b) = sumN(a, b). Namely, simply by viewing a and b as ifthey were natural numbers. For example, 〈0, 0〉+〈1, 0, 0, 0〉 = 〈1, 0, 0, 0, 0, 0〉 (for −1+−1 = −2)or 〈1, 0, 0, 0〉+ 〈1, 1〉 = 〈1, 1, 1, 0, 0, 0〉 (for −1 + 1 = 0).

Let a = 〈a1, . . . , a2k〉 be a 2k-bit integer and k′ > k. Then the following is the corresponding2k′-bit integer: extendZ(a, k′) = 〈1, . . . , 1, a1, . . . , ak, 0, . . . , 0〉 where the original bits are paddedby (k′−k) ones on the left and (k′−k) zeros on the right. Now we will assume that a and b are2k-bit unary order encoding integers (if they are not in the same range then apply extendZ). Inthis setting, max, >, ≥ are implemented exactly the same as their natural number counterparts.

Encoding Arctic Integers: We propose the following representation for arctic integers.Obviously, we require an extra bit to capture the case where a = −∞. To facilitate an encodingwhich is similar to the order encoding for naturals and integers, we position this extra bit asthe leftmost in a (2k + 1)-bit monotonic decreasing sequence. So, for a = 〈a0, a1, . . . , a2k〉, the

91


bit a0 is false when a = −∞ (and then also all other bits are zero). And, just like for integers,the bit ai (for 1 ≤ i ≤ 2k) is interpreted as the statement a ≥ −k + i.

To encode that a is an arctic integer in the order encoding we introduce clauses: unaryP(a) =unaryN(a) (reusing the definition for naturals). We say that a is a (2k + 1)-bit unary orderencoding integer. It can take values between −k and +k or −∞.

Let a = 〈a0, a1, a2k〉 and b = 〈b0, b1, b2k′〉 denote 2k+1 and 2k′+1 order encoding arctics. Letc0 = a0 ∧ b0 and let 〈c1, . . . , c2(k+k′)〉 denote the usual integer (or natural) sum of 〈a1, . . . , a2k〉and 〈b1, . . . , b2k′〉 (each without its first bit). Then, the arctic sum a + b is 〈c0, c0 ∧ c1, . . . , c0 ∧c2(k+k′)〉.

Let a = 〈a0, a1, . . . , a2k〉 be a unary arctic number in 2k+1 bits. Its extension to 2k′+1 bitsfor k′ > k is obtained as extendP(a, k′) = 〈a0, . . . , a0, a1, . . . , a2k, 0, . . . , 0〉 (padding by (k′ − k)times the a0 bit on the left and (k′ − k) times a 0 bit on the right). Assume that a and b are(2k+1)-bit arctic integers (if they are not in the same range then apply extendP). Now, max, >,≥ are implemented directly using their natural number counterparts. So everything about theencoding is “for free”. Encoding >0 is like this: (a >0 b) = ¬bk ∧

∧bi → ai+1

∣∣ 0 < i < k

.

Encoding Tropical and Fuzzy Integers: Tropical numbers are handled in much the sameway as arctics: with an “infinity bit”, and an unary encoding of the finite value, but we put theinfinity bit in the rightmost position. That way, we can use the standard “minimum” operationfor unary integers, and get the correct result also for the case that some arguments are infinite.For fuzzy numbers, we represent “minus infinity” by 0, and “plus infinity” by B (the bit width).The semiring operations are standard minimum and maximum operations with the usual unaryencodings.

5 A Knockout Example

The termination status of problem SRS/Gebhardt/19 has been open since it was posed in2006. Using the methods from this paper, we obtain a tropical matrix interpretation to proveits termination. A key step in the proof involves the setting where (the alphabet is Σ =

0, 1, 0#, 1#

):

R =

0# 0 0 0 → 1# 0 1 1,1# 0 0 1 → 0# 0 1 0

S =

0 0 0 0 → 1 0 1 1,1 0 0 1 → 0 0 1 0

So we seek a tropical matrix interpretation which satisfies the constraints 0#03 ≥ 1#012,1#021 ≥ 0#010, 04 ≥ 1012, 1021 ≥ 0210 and also (04 >0 1012) ∨ (1021 >0 0210).

In approximately one hour of SAT solving time, using the order encoding with five bits pertropical unknown we obtain the following tropical interpretation (where + indicates +∞) whichallows to remove the second rule from R to render a proof of termination.

0 7→

4 0 3 + 4 4 4 4 ++ 4 + + 0 + + 4 +3 + + 2 3 4 3 + +3 0 + + + 0 + 0 +4 2 0 + 4 + + + +0 2 + 3 4 + 3 + 32 0 0 4 + 0 + 2 32 4 3 0 + + 0 + ++ + + + + + + + 0

1 7→

2 + + 4 3 4 + + ++ 3 0 2 2 0 4 + ++ 2 0 4 0 + 0 3 +0 4 + + 3 3 4 4 +2 + + + 4 4 + + +0 4 + 0 0 2 1 + 30 + + + + + 3 + ++ 0 0 0 + + 2 0 1+ + + + + + + + 0

92


0# 7→

0 1 1 2 0 0 3 0 2+ + + + + + + + +0 + 0 1 + + + + 21 + 1 2 + + + + 30 + 1 1 + + + 1 20 1 + 3 + 3 2 + 40 + 0 3 + + + 2 22 4 + 4 2 + 4 + 4+ + + + + + + + 0

1# 7→

0 4 1 1 0 1 0 + ++ + + + + + + + +0 2 0 1 1 + + + +2 + 2 2 1 + 2 4 40 + 4 1 2 2 2 + 3+ + 2 + 0 3 1 + ++ + + 1 0 + + + 34 + 4 3 4 4 2 + ++ + + + + + + + 0

6 Tools and Experiments

To assess our contributions empirically, we conducted several preliminary experiments. We usethree tools

(1) satchmo-smt—Johannes Waldmann enhanced his satchmo-smt [Wal] solver, which uses abinary encoding of QF LIA (cf. e.g. [EWZ08, FGM+07]), to perform also a unary en-coding similar to Sect. 4. The solver satchmo-smt makes use of the solver MiniSAT [ES03](development version based on version 2.2). So for arctic constraints, the binary encodingessentially corresponds to that proposed in [KW09], whereas the unary encoding is new.

(2) BEE—Yoav Fekete enhanced the BEE constraint solver developed at Ben-Gurion Universityto compile arctic constraints to CNF. It combines constraint and CNF simplificationtechniques to provide a concise CNF representation [MCLS11]. BEE uses the SAT solverCryptoMiniSAT [SNC09], version 2.5.1, as a back-end solver;

(3) Z3, version 3.2—This SMT solver [dB08] is developed at MS Research and can handleQF LIA end QF IDL theories (among others).

Our experimentation initiates a comparison of these tools when solving exotic semiringconstraints. We view this experimentation as a proof of concept and starting point for a morethorough investigation on how to solve exotic semiring constraints using SMT solvers and SATencodings. As the benchmark set, we generated exotic termination constraints with matrixdimension up to 5 from the string rewriting problems of the Termination Problem Data Base(TPDB)3, selected those that were solvable by satchmo-smt within 10 minutes, and removedthose that were solvable quickly (< 2 seconds).

Exotic constraints were given directly to BEE, and for satchmo-smt and Z3 they were beingtranslated to QF LIA as described in Sect. 3.

The benchmark runs were performed on a Quad-core Intel i5-2400 at 3.1 GHz with 4 GBRAM. We conducted the following experiments which are summarized in Table 1. All times arein seconds. The timeout is 1800 sec. The rows of the table were selected from 194 instances.The average, max and number of timeout information in the last 3 rows is a statistic on all 194instances.

Experiment 1: We apply satchmo-smt to compare binary and unary encodings for LIA con-straints that stem from arctic constraints. So while here we do not directly take optimizationsby dedicated domain knowledge of the arctic semiring into account, this experiment still allowsus to make observations on performance of binary vs. unary bit-blasting. Here (arctic) variables

3http://termination-portal.org/wiki/TPDB

93


instance Experiment 1 Experiment 2 Experiment 3satchmob (3) satchmou (7) BEE (it) Z3 BEE (4) satchmou (4)

S2.1 55.09 1.20 0.73 112.39 3.74 0.70S2.2 0.81 4.91 0.66 411.13 7.31 11.72S2.3 11.82 7.11 12.94 111.38 2.02 154.74S2.4 2.81 2.81 11.6 891.97 2.23 219.14S3.1 1.51 84.34 1.62 1754.24 9.58 1.21S3.2 4.31 23.34 4.15 428.24 6.55 2.61S3.3 4.81 24.14 2.10 199.43 3.94 3.31S3.4 71.41 8.42 0.97 472.16 1.66 0.70S3.5 108.97 16.63 0.60 359.24 1.24 0.60S3.6 TimeOut TimeOut 9.13 305.49 2.13 123.59S3.7 2.31 8.82 9.43 TimeOut 1.82 128.1S4.0 2.41 4.71 2.15 6.69 21.31 1.50S4.1 4.91 26.04 6.00 610.73 8.83 3.51S4.2 6.11 4.31 3.68 27.06 26.94 2.21S4.3 TimeOut 172.18 2.55 TimeOut 35.68 7.71S5.1 51.69 19.33 17.92 1550.72 15.23 4.11S5.2 TimeOut 46.18 2.33 TimeOut 85.44 77.92S5.3 TimeOut TimeOut 3.40 TimeOut 20.59 28.85S5.4 TimeOut 725.44 4.16 TimeOut 160.79 44.07S5.5 18.93 17.33 3.45 TimeOut 6.5 13.12S6.1 4.61 9.72 9.05 45.33 27.22 4.21S6.2 7.32 4.41 4.30 41.10 29.64 2.61S6.3 9.82 8.02 8.57 84.25 21.10 4.31S6.4 169.98 47.58 1.62 138.57 31.04 4.41S6.5 TimeOut 1408.21 6.80 TimeOut 731.93 TimeOutaverage 61.58 5.44 2.22 224.64 10.83 14.94max 1800 1800 17.92 1800 731.93 1800timeouts 6 2 0 15 0 1

Table 1: results from 3 experiments

take values −∞, 0, . . . , 7. This means 3 bits for the binary representation and 7 bits for theunary as indicated in the headers of these two rows. Despite the significantly more verboserepresentation in the unary encoding, the corresponding average runtime is lower by an orderof magnitude in comparison to the average runtime for the binary encoding. Also the worst-casebehavior of unary bit-blasting is better (only 2 timeouts instead of 6 for binary bit-blasting).

Experiment 2: Here we compare unary bit-blasting as in Sect. 4 using BEE [MCLS11] withSMT solving using Z3.

SMT solvers with a dedicated theory solver like Z3 natively support all natural numbers assearch space for the input constraint. For bit-blasting with BEE, we use an iterative deepeningapproach which doubles n for the search space −∞, 0, . . . , n until a solution is found or nreaches a specified upper bound. This is indicated by “(it)” on the corresponding column. Herewe can show satisfiability of all instances using at most 4 bits.

With BEE, we observe an improvement in the average runtime by two orders of magnitudeover Z3. Also in the worst case BEE performs significantly better (max. runtime of less than 18

94


seconds, whereas Z3 shows 15 timeouts after 1800 seconds each).

Experiment 3: Here we compare unary bit-blasting using BEE and using satchmo-smt, eachwith 4 bits for the numbers (4). Here BEE and satchmo show similar performance (where BEEis slightly faster on average). While satchmo-smt has an approach of directly bit-blasting LIAconstraints “as is” (and not taking the underlying arctic domain into account), BEE has a certainoverhead due to the simplifications applied in the SAT compilation phase, which may not alwayspay out. Moreover, the two solvers use different SAT solvers (CryptoMiniSAT and MiniSAT) forthe resulting CNFs, which may also lead to differences in runtime. Here investigations withdifferent SAT solvers as back-ends would be interesting.

7 Discussion

In this paper, we formalize exotic semiring constraints and discuss several new ways of solvingthem. In addition to the existing approach based on binary bit-blasting, we also provide newapproaches based on SMT-LIA and unary bit-blasting with order encoding.

We have applied these techniques to solve exotic semiring constraints that come up in thecontext of automated termination analysis.

The LIA and IDL constraints derived from exotic termination constraints all share theproperty that the only numerical constant that appears anywhere, is the number zero. Highernumbers (than zero) may of course appear in the solution, but only as consequences of strictequalities.

It appears that long chains of strict inequalities are “quite unlikely”, so if an exotic termi-nation constraint has a solution at all, then it typically also has a solution that uses only smallnumbers, and this explains the effectiveness of unary bit-blasting solver methods.

For more information on our experiments, we refer to our evaluation web page at the fol-lowing URL: http://www.cs.bgu.ac.il/~mcodish/Benchmarks/SMT2012/

Ongoing research aims to provide a powerful solver for exotic semiring constraints that arisein the context of termination analysis. Here we plan to investigate the application of SMT andSAT solvers with unary encodings, where also applications other than termination analysis maybenefit.

References

[BB03] Olivier Bailleux and Yacine Boufkhad. Efficient CNF encoding of boolean cardinality con-straints. In Francesca Rossi, editor, CP, volume 2833 of Lecture Notes in Computer Science,pages 108–122. Springer, 2003.

[CB94] James M. Crawford and Andrew B. Baker. Experimental results on the application ofsatisfiability algorithms to scheduling problems. In Barbara Hayes-Roth and Richard E.Korf, editors, AAAI, pages 1092–1097. AAAI Press / The MIT Press, 1994.

[dB08] Leonardo de Moura and Nikolaj Bjørner. Z3: An efficient SMT solver. In C. R. Ramakrish-nan and Jakob Rehof, editors, TACAS, volume 4963 of Lecture Notes in Computer Science,pages 337–340. Springer, 2008.

[DK09] Manfred Droste and Werner Kuich. Semirings and formal power series. In Manfred Droste,Werner Kuich, and Heiko Vogler, editors, Handbook of Weighted Automata, pages 3–28.Springer, 2009.

95

http://www.cs.bgu.ac.il/~mcodish/Benchmarks/SMT2012/


[ES03] Niklas Een and Niklas Sorensson. An extensible SAT-solver. In Enrico Giunchiglia andArmando Tacchella, editors, SAT, volume 2919 of Lecture Notes in Computer Science,pages 502–518. Springer, 2003.

[EWZ08] Jorg Endrullis, Johannes Waldmann, and Hans Zantema. Matrix interpretations for provingtermination of term rewriting. J. Autom. Reasoning, 40(2-3):195–220, 2008.

[FGM+07] Carsten Fuhs, Jurgen Giesl, Aart Middeldorp, Peter Schneider-Kamp, Rene Thiemann, andHarald Zankl. SAT solving for termination analysis with polynomial interpretations. InJoao Marques-Silva and Karem A. Sakallah, editors, SAT, volume 4501 of Lecture Notes inComputer Science, pages 340–354. Springer, 2007.

[GKS11] Stephane Gaubert, Ricardo Katz, and Sergei Sergeev. Tropical linear-fractional pro-gramming and parametric mean payoff games. ArXiv e-prints, 2011. Available fromhttp://arxiv.org/abs/1101.3431, extended version of a workshop paper at the Workshopon Invariant Generation (WING 2010) http://research.microsoft.com/en-us/events/

wing2010/ at FLoC ’10.

[Goo98] Joshua T. Goodman. Parsing inside-out. PhD thesis, Harvard University, 1998.

[Kro98] Daniel Krob. Some automata-theoretic aspects of min-max-plus semirings. In JeremyGunawardena, editor, Idempotency, pages 70–79. Cambridge University Press, 1998.

[KW09] Adam Koprowski and Johannes Waldmann. Max/plus tree automata for termination ofterm rewriting. Acta Cybern., 19(2):357–392, 2009.

[MCLS11] Amit Metodi, Michael Codish, Vitaly Lagoon, and Peter J. Stuckey. Boolean equi-propagation for optimized SAT encoding. In Jimmy Ho-Man Lee, editor, CP, volume6876 of Lecture Notes in Computer Science, pages 621–636. Springer, 2011.

[Sim88] Imre Simon. Recognizable sets with multiplicities in the tropical semiring. In MichalChytil, Ladislav Janiga, and Vaclav Koubek, editors, MFCS, volume 324 of Lecture Notesin Computer Science, pages 107–120. Springer, 1988.

[SNC09] Mate Soos, Karsten Nohl, and Claude Castelluccia. Extending SAT solvers to cryptographicproblems. In Oliver Kullmann, editor, SAT, volume 5584 of Lecture Notes in ComputerScience, pages 244–257. Springer, 2009.

[ST10] Christian Sternagel and Rene Thiemann. Certification extends termination techniques. InProc. 11th International Workshop on Termination (WST ’10), 2010.

[TTKB09] Naoyuki Tamura, Akiko Taga, Satoshi Kitagawa, and Mutsunori Banbara. Compiling finitelinear CSP into SAT. Constraints, 14(2):254–272, 2009.

[Wal] Johannes Waldmann. satchmo-smt. https://github.com/jwaldmann/satchmo-smt.

[Wal07] Johannes Waldmann. Weighted automata for proving termination of string rewriting. Jour-nal of Automata, Languages and Combinatorics, 12(4):545–570, 2007.

96

http://arxiv.org/abs/1101.3431

http://research.microsoft.com/en-us/events/wing2010/

http://research.microsoft.com/en-us/events/wing2010/

https://github.com/jwaldmann/satchmo-smt

A Theory of Arrays with set and copy Operations∗

(Extended Abstract)

Stephan Falke Carsten Sinz Florian MerzInstitute for Theoretical Computer Science

Karlsruhe Institute of Technology (KIT), Germanystephan.falke, carsten.sinz, [email protected]

http://verialg.iti.kit.edu

Abstract

The theory of arrays is widely used in order to model main memory in program analysis,software verification, bounded model checking, symbolic execution, etc. Nonetheless, thebasic theory as introduced by McCarthy is not expressive enough for important practicalcases, since it only supports array updates at single locations. In programs, memory isoften modified using functions such as memset or memcpy/memmove, which modify a user-specified range of locations whose size might not be known statically. In this paper wepresent an extension of the theory of arrays with set and copy operations which make itpossible to reason about such functions. We also discuss further applications of the theory.

1 Introduction

The theory of arrays is widely used in order to model main memory in formal methods suchas program analysis, software verification, bounded model checking, or symbolic execution. Inthe simplest case, main memory is modelled using a one-dimensional array, but the use of thetheory of arrays goes beyond such flat memory models. Reasoning about arrays is thus anessential part of systems that are based on the aforementioned methods.

Since the basic theory of arrays is quite simple, it is insufficient (or at least inconvenientto use) in many application cases. While it supports storing and retrieving of data at specificlocations, it does not support the functionality provided by C library functions such as memsetor memcpy/memmove which operate on regions of locations. While these region-based operationscan be broken down into operations on single locations in many cases (e.g., a memcpy operationof size 10 can be simulated using 10 read and 10 write operations), this approach does notscale if the involved regions are large. Even worse, the sizes of the affected regions mightnot be statically known, making it more complicated to break the region-based operation intooperations on single locations.

These limitations of the theory of arrays also manifest themselves in tools implementing theformal methods mentioned above. In software bounded model checking tools such as CBMC [7]and ESBMC [8], calls to memset and memcpy/memmove are handled by including an implementationof these methods and unrolling the loop contained in the implementations. Due to this unrolling,CBMC and ESBMC are incomplete in their treatment of memset and memcpy/memmove.1 Our ownsoftware bounded model checking tool LLBMC [20, 22] was equally incomplete since it reliedon user-provided implementations of memset and memcpy/memmove until we implemented theapproach discussed in this work.

In this paper we present an extension of the theory of arrays with set and copy operationswhich make it possible to reason about memset and memcpy/memmove. We discuss several

∗This work was supported in part by the “Concept for the Future” of Karlsruhe Institute of Technologywithin the framework of the German Excellence Initiative.

1The situation is similar in symbolic execution tools such as EXE [6] or KLEE [5].


http://verialg.iti.kit.edu

A Theory of Arrays with set and copy Operations S. Falke, C. Sinz, F. Merz

implementations of satisfiability solvers for this theory in the context of LLBMC and show withan empirical evaluation that these implementations outperform the unrolling based approachas used in CBMC and ESBMC in all but the most trivial cases.

2 The Theory of Arrays

The (non-extensional) theory of arrays (TA), as introduced by McCarthy in his seminal paperof 1962 [19], is given by the following signature and axioms:

Sorts element : elementsindex : indicesarray : arrays

Functions read : array× index→ elementwrite : array× index× element→ array

Objects of sort array denote arrays, i.e., maps from indices of sort index to elements ofsort element. The write function is used to store an element in an array. Its counter-part, theread function, is used to retrieve an element from an array.

The semantics of read and write is given be the following read-over-write axioms:2

p = r =⇒ read(write(a, p, v), r) = v (1)

¬(p = r) =⇒ read(write(a, p, v), r) = read(a, r) (2)

These axioms state that storing the value v into an array a at index p and subsequently readinga’s value at index q results in the value v if the indices p and q are identical. Otherwise, thewrite operation does not influence the result of the read operation.

In a simple implementation of a decision procedure for the theory of arrays, the read-over-write axioms could be applied from left to right using the if-then-else operator ITE, i.e., a termread(write(a, p, v), q) is replaced by ITE(p = q, v, read(a, q)). After this transformation has beenapplied exhaustively, only read operations remain. These can then be treated as uninterpretedfunctions. Alternatively the resulting formula can be further transformed into pure equalitylogic using Ackermann’s construction: for all array variables a, let Pa be the set of all indexarguments that occur in a read operation for a. Then, each occurrence of read(a, p) is replacedby a fresh variable Ap, and consistency constraints of the form p1 = p2 =⇒ Ap1

= Ap2for

all p1, p2 ∈ Pa are added as constraints to the formula.Instead of this eager and expensive approach, modern SMT-solvers use abstraction refine-

ment loops applying lazy axiom instantiation or lemma-on-demand techniques, see, e.g., [12, 4],to efficiently support the theory of arrays.

3 The Theory of Arrays with set and copy

In order to extend TA with set and copy operations we restrict index to a linear arithmeticaltheory containing +, −, ≤, and <. Similar to [13], this section is based on the assumptionthat index = N. Furthermore, +, −, ≤, and < are interpreted in the expected way. Necessarychanges in order to replace N by fixed-width bitvectors are discussed in Section 4.

2Here and in the following, all variables are implicitly universally quantified. Also, variables a, b range overarrays, variables p, q, r, s range over indices, and the variable v ranges over elements.

98


a

b q q + s

copy(a, p, b, q, s) p p + s

Figure 1: Graphical illustration of copy.

The theory of arrays with set and copy operations (TASC) extends TA by the following sorts,functions and axioms. The sort size is used for the sizes of set and copy operations. It isintroduced as an alias for the sort index since the axioms contain arithmetical operations thatcombine terms of sort index with terms of sort size.

Sorts size = indexFunctions set : array× index× element× size→ array

set∞ : array× index× element→ arraycopy : array× index× array× index× size→ array

copy∞ : array× index× array× index→ array

The informal semantics of set(a, p, v, s) is to set all entries of a that are between p andp + s− 1 to the value v. Similarly, set∞(a, p, v) sets all entries from p on upwards to v.

Formally, the semantics of set is given by the following read-over-set axioms:

p ≤ r < p + s =⇒ read(set(a, p, v, s), r) = v (3)

¬(p ≤ r < p + s) =⇒ read(set(a, p, v, s), r) = read(a, r) (4)

Similarly, the read-over-set∞ axioms give a semantics to set∞:

p ≤ r =⇒ read(set∞(a, p, v), r) = v (5)

¬(p ≤ r) =⇒ read(set∞(a, p, v), r) = read(a, r) (6)

The axioms have some similarity to the read-over-write axioms (1) and (2), but the simpleequality comparison in the read-over-write axioms has been replaced by a more complex checkfor containment in a region of indices.

Informally, copy and copy∞ are used in order to copy a range of values from one array toanother array. This copying process may also involve a shift, i.e., the ranges in the arrays donot need to start at the same index position. See Figure 1 for a graphical illustration of copy.

The semantics of copy is given by the read-over-copy axioms

p ≤ r < p + s =⇒ read(copy(a, p, b, q, s), r) = read(b, q + (r − p)) (7)

¬(p ≤ r < p + s) =⇒ read(copy(a, p, b, q, s), r) = read(a, r) (8)

and the semantics of copy∞ is specified using the the read-over-copy∞ axioms

p ≤ r =⇒ read(copy∞(a, p, b, q), r) = read(b, q + (r − p)) (9)

¬(p ≤ r) =⇒ read(copy∞(a, p, b, q), r) = read(a, r) (10)

99


Example 1. Consider the formula

s > 0 ∧ b = copy(a, p, a, q, s) ∧ o < s ∧ read(b, p + o) 6= read(a, q + o)

in TASC. It is intuitively unsatisfiable since the copy operation ensures that read(b, p + o) andread(a, q + o) are identical for all o < s. The unsatisfiability can formally be shown usingreasoning w.r.t. the axioms of TASC.

4 Using Bitvectors as Indices

In principle, the natural numbers used as indices in Section 3 can readily be replaced by fixed-width bitvectors if + and − are replaced by bitvector addition (bvadd) and bitvector subtraction(bvsub) and ≤ and < are replaced by unsigned less-than-or-equal (bvule) and less-than (bvult)operations, respectively. In the following discussion, we only consider set and copy.

For the read-over-set axioms (3) this results in the following axioms for the set operation:

bvule(p, r) ∧ bvult(r, bvadd(p, s)) =⇒ read(set(a, p, v, s), r) = v

¬(bvule(p, r) ∧ bvult(r, bvadd(p, s))) =⇒ read(set(a, p, v, s), r) = read(a, r)

The read-over-copy axioms for copy now read as follows:

bvule(p, r) ∧ bvult(r, bvadd(p, s)) =⇒ read(copy(a, p, b, q, s), r) = read(b, bvadd(q, bvsub(r, p)))

¬(bvule(p, r) ∧ bvult(r, bvadd(p, s))) =⇒ read(copy(a, p, b, q, s), r) = read(a, r)

Notice that the wrap-around behavior of bitvector arithmetic that is caused by overflowsleads to subtle semantic differences compared to the case of natural numbers. There are twocases in which a wrap-around can occur: (a) in the target range of a set or copy operation, i.e.,in the computation of bvadd(p, s), or (b) in the source range of a copy operation, i.e., in thecomputation of bvadd(q, bvsub(r, p)).

A target range overflow (a) causes the left-hand side of the implication to be always falsefor the first axiom and always true for the second axiom for both set and copy. This meansthat an overflow in the target range of any of the operations turns it into a no-op.

In contrast to target range overflows, source range overflows (b) of a copy operation behaveas expected, i.e., the indices from which the values are copied wrap around.3

5 Applications

As already mentioned in Section 1, the most immediate use of TASC is to precisely and succinctlymodel library functions such as memset or memcpy/memmove in C. There are, however, severalfurther applications of the theory for reasoning about programs which we would like to explorein future work:

• Zero-initialization of global variables (as required by the C standard) can be achievedusing the set operation.

• Operating systems zero-initialize new memory pages before handing them to a process.This can again be achieved using an appropriate set operation.

3If consistency of the two overflow cases is desired, an overflow in the source destination could be ruled outby adding an overflow check ¬bvuaddo(q, s) to the left-hand side of the implication in the second read-over-copyaxiom. This turns the copy operation into a no-op, just like a target overflow does.

100


• If a memory region should be set to unconstrained values (havocked), this can be doneusing a copy operation from a fresh array variable. Similarly, the same approach could beused in order to model memory-mapped I/O.

• Tracking metadata for memory addresses. For instance, allocation information can bemodeled using an array containing information on the allocation state of the locations.Memory allocation and memory de-allocation can then be modelled using the set oper-ation. This makes it possible to develop an alternative to the SMT theory of memoryallocation presented in [11] and the memory model presented in [21].

6 Satisfiability Solving

Current SMT-solvers do not support TASC yet. There are, however, several possibilities toreduce the satisfiability problem for quantifier-free TASC formulas to the satisfiability problemfor a theory that is supported by existing SMT-solvers. In the following we only consider theset and copy operations, the set∞ and copy∞ operations are similar.

Eager Encoding. In this setting, the axioms are applied in a pre-processing step before theresulting formula is passed to an SMT-solver. This pre-processing is done similarly to thecase of TA as discussed in Section 2 by applying the axioms from left to right using theITE operator. The main disadvantage of this approach is that the read-over-write axiomshave to be applied eagerly as well in the pre-processing in order to eliminate writes thatare “between” a read operation and a set or copy operation. The main advantage of theeager encoding is that any SMT-solver that can handle TA in combination with the indextheory can be used.

Example 2. For the formula from Example 1, the eager encoding produces the formula

s > 0 ∧ o < s ∧ ITE(p < p + o < p + s, read(a, q + o), read(a, p + o)) 6= read(a, q + o)

which can easily be seen to be unsatisfiable.

Fully Quantified Axioms. In this approach, set and copy are added as interpreted functionsymbols whose semantics is given by explicitly stating the quantified axioms. As anexample, the fully quantified axiom for set has the form

∀a : array, p : index, v : element, s : size, r : index. read(set(a, p, v, s), r) =

ITE(p ≤ r < p + s, v, read(a, r))

The use of quantifiers makes the satisfiability problem hard, but it remains (in principle)decidable if bitvectors are used as indices.

Quantified Axioms Instantiated for Arrays. As in the previous approach, set and copyare added as interpreted function symbols but the fully quantified axiom is partially in-stantiated for those arrays to which the operators are applied in the formula. Furthermore,each occurrence of, e.g., set is replaced by a fresh interpreted function symbol whose aritycoincides with the number of arguments that are still quantified. Then, suitable con-straints on this function symbol are added. If the formula contains, e.g., a term of theform set(a′, p′, v′, s′), then the constraint

∀p : index, v : element, s : size, r : index. read(seta′(p, v, s), r) =

ITE(p ≤ r < p + s, v, read(a′, r))

101


is added to the formula.

Quantified Axioms Instantiated for all Arguments. Here, the fully quantified axiom isinstantiated even further using all arguments occurring in applications to set and copy.Concretely, if the formula contains a term of the form set(a′, p′, v′, s′), then the followingconstraint is added to the formula:

∀r : index. read(seta′,p′,v′,s′ , r) = ITE(p′ ≤ r < p′ + s′, v′, read(a′, r))

Notice that the interpreted function symbol for seta′,p′,v′,s′ is now just a constant symbol.

Instantiation-Based Approach. As in the previous approach, each occurrence of set andcopy in the formula is replaced by a fresh constant symbol and constraints on this constantare added. In contrast to the three aforementioned approaches, these constraints do notcontain any quantifier. Instead, an instantiation of the quantified constraint from theprevious approach is added for all needed read indices. Here, the needed read indicesare the (potentially) observed entries of the array produced by the set or copy operation(i.e., entries of the array that are read later on). They are determined by the followingalgorithm, in which we assume formulas to be represented as terms. Moreover, root(x)denotes the root symbol of a term x and y array x (y array x) denotes that x is a(non-strict) subterm of y such that the path leading from the root of y to the root of xcontains only function symbols of sort array:

/* x is a subterm of the complete formula ϕ with root(x) = copy or root(x) = set */function GetNeededReadIndices(ϕ, x)

N = ∅/* compute the set of minimal copy superterms of x in ϕ */C = y | y array x ∧ root(y) = copy ∧ ¬∃z. (y array z array x ∧ root(z) = copy)for c := copy(a, p, b, q, s) ∈ C do

if aarray x then/* add recursively computed indices */N = N ∪GetNeededReadIndices(ϕ, c)

end ifif barray x then

/* apply “pointer arithmetic” to the recursively computed indices */N = N ∪ q + (r − p) | p ∈ GetNeededReadIndices(ϕ, c)

end ifend for/* compute the set and write superterms “between” x and C */A = y | y array x ∧ ¬∃z ∈ C. y array z array x/* compute the indices used in reads of elements from A */N ′ = y | ∃z ∈ A. read(z, y) occurs in ϕreturn N ∪N ′

end function

Since the final formula does not contain quantifiers, any SMT-solver that can handle TAin combination with the index theory can be applied.

Example 3. For the formula from Example 1, the instantiation-based approach producesthe formula

s > 0 ∧ read(b, p + o) = ITE(p < p + o < p + s, read(a, q + o), read(a, p + o))

∧ o < s ∧ read(b, p + o) 6= read(a, q + o)

102


which again can easily be seen to be unsatisfiable. For the construction of the formula,notice that p + o is the only read index that is needed as an instantiation.

7 Evaluation

We have experimented with all possible implementations described in Section 6 for determiningthe satisfiability of quantifier-free formulas in TASC . Since our motivation was the applicationin our bounded model checking tool LLBMC [20, 22], we have restricted attention to the casewhere index consists of bitvectors.

The bounded model checking tool LLBMC is a bounded model checker for C and (to someextent) C++ programs. In order to support the complex and intricate syntax and semanticsof these programming languages, LLBMC uses the LLVM compiler framework [17] in order totranslate C and C++ programs into LLVM’s intermediate representation (IR). This IR is thenconverted into a logical representation and simplified using an extensive set of rewrite rules.The simplified formula is finally passed to an SMT-solver. Distinguishing features of LLBMC incomparison with related tools such as CBMC [7] and ESBMC [8] are its use of a flat, bit-precisememory model, its exhaustive set of built-in checks, and its performance (see [20]).

Within LLBMC, we evaluated the following approaches for TASC satisfiability:

1. The eager encoding and the instantiation-based approach were evaluated in combinationwith the SMT-solver STP (SVN revision 1625) [12] (alternatively, any other SMT-solverfor the logic QF ABV could be applied, e.g., Boolector [3] or Z3 [9]).

2. The approaches based on fully quantified or partially instantiated axioms have been eval-uated in combination with the SMT-solver Z3 (version 3.2) [9], because STP does notsupport quantifiers.

3. set and copy are simulated using loops on the level of LLVM’s IR. Consequently, the bound-edness restriction inherent to bounded model checking applies to these loops. This ap-proach was again evaluated in combination with STP.

These approaches have been evaluated on a collection of 55 C and C++ programs (19 programsfrom LLBMC’s test suite that were not specifically written for TASC , 19 programs from LLBMC’s testsuite that were specifically written for TASC , and 17 programs from other sources (16 programsfrom [1] and one program from the KLEE distribution)). Notice that the logical encoding ofthese programs may contain a set or copy operation for one of several reasons:

• The source code contains an explicit call to memset or memcpy/memmove.

• The compiler may introduce a call to memset in order to initialize global variables.

• Compiler optimizations may detect user-written functionality that essentially constitutesa re-implementation of memset or memcpy/memmove and replace the code by calls to therespective library functions.

• Library-specific implementation details included through header files may result in callsto memset or memcpy/memmove. This is in particular true for C++ programs that use thecontainer classes of the standard template library (STL).

• Default implementations of C++ constructors, especially the copy constructor, may makeuse of memcpy operations to initialize the memory.

103


Approach SMT-solver Total Time # Solved Formulas

Instantiation-Based Approach STP 25.368 55Eager Encoding STP 64.008 54Built-In Loops STP 225.673 50

Axioms Instantiated for all Arguments Z3 339.676 45Axioms Instantiated for Arrays Z3 420.876 42

Fully Quantified Axioms Z3 449.767 42

Table 1: Times and success rates for the different approaches.

Figure 2: Scatterplot comparing the instantiation-based approach to the other approaches.

For the purpose of this evaluation, also memset and memcpy/memmove with a statically knownsize were not broken into operations on single locations.

The results of LLBMC on the collection of examples are summarized in Table 1. The reportedtimes are in seconds and only record the time needed for solving the simplified formula, i.e.,the time needed for the logical encoding and the simplification of the formula are not included.A timeout of 30 seconds was imposed for each formula and timeouts are contained in the totaltimes. The experiments where performed on an Intel R© CoreTM 2 Duo 2.4GHz with 4GB RAM.

These results indicate that the instantiation-based approach achieves the best performance,which can also be observed in the scatterplot contained in Figure 2. Notice that Z3 in com-bination with fully quantified or partially instantiated axioms is significantly slower and lesspowerful than the approaches that do not involve quantified formulas. Also, the approacheswithout quantifiers perform better than the naıve implementation using loops on the level ofLLVM’s IR, where the latter is furthermore incomplete due to the bounded number of loopiterations that can be considered.4

4This incompleteness does not manifest itself in the evaluation since the number of loop iterations was chosensufficiently large for each example.

104


8 Related Work

Decidable extensions of the theory of arrays have been considered before. Suzuki and Jefferson[24] have studied the extension of TA with a restricted use of a permutation predicate. Mateti[18] has described a theory of arrays where entries of an array can be exchanged. Jaffar [16] hasinvestigated reading of array segments but does not discuss writing array segments as needed forset and copy. Ghilardi et al. [13] have considered the addition of axioms specifying the dimensionof arrays, injectivity of arrays, arrays with domains, array prefixes, array iterators, and sortedarrays. All of these extensions are orthogonal to the set and copy operations considered inthis paper. A theory of arrays with constant-valued arrays has been proposed by Stump etal. [23]. Our set and set∞ operators can be seen as proper generalizations of constant-valuedarrays. De Moura and Bjørner [10] have introduced combinatory array logic, which extends TAby constant-valued arrays and a map combinator.

The satisfiability problem for restricted classes of quantified formulas in the theory of ar-rays has been investigated as well. The work by Bradley et al. [2] identifies the array propertyfragment, where value constraints are restricted by index guards in universally quantified sub-formulas. Notice that copy and copy∞ cannot be expressed in the array property fragment dueto the “pointer arithmetic” q + (r − p). The set and set∞ operators, on the other hand, canbe defined in the array property fragment. The array property fragment was later extended byHabermehl et al. [15, 14], but the “pointer arithmetic” needed for copy and copy∞ is still notpermitted. Finally, Zhou et al. [25] have investigated a first-order array theory where the arrayelements are taken from a finite set.

9 Conclusions

We have presented an extension of the theory of arrays with set and copy operations that canbe used in order to model library functions such as C’s memset and memcpy/memmove in formalmethods such as program analysis, software verification, bounded model checking, or symbolicexecution. We have discussed several possible implementations of satisfiability solvers for thistheory and have reported on an evaluation in our bounded model checking tool LLBMC [20, 22].

In future work, we are particularly interested in adding “native” support for TASC in SMT-solvers such as STP [12] or Boolector [3]. For this, it is necessary to investigate lazy axiominstantiation or lemma-on-demand techniques for TASC since these techniques have been fun-damental for the performance gain that SMT-solvers for TA have experienced in recent years.Furthermore, we will formally prove soundness and completeness of the satisfiability solversdiscussed in Section 6, in particular for the instantiation-based approach. Finally, we will in-vestigate the complexity of satisfiability solving for quantifier-free TASC formulas and of thepossible solvers discussed in Section 6.

References

[1] A. Armando, J. Mantovani, and L. Platania. Bounded model checking of software using SMTsolvers instead of SAT solvers. STTT, 11(1):69–83, 2009.

[2] A. R. Bradley, Z. Manna, and H. B. Sipma. What’s decidable about arrays? In Proc. VMCAI2006, volume 3855 of LNCS, pages 427–442, 2006.

[3] R. Brummayer and A. Biere. Boolector: An efficient SMT solver for bit-vectors and arrays. InProc. TACAS 2009, volume 5505 of LNCS, pages 174–177, 2009.

105


[4] R. Brummayer and A. Biere. Lemmas on demand for the extensional theory of arrays. JSAT,6:165–201, 2009.

[5] C. Cadar, D. Dunbar, and D. R. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proc. OSDI 2008, pages 209–224, 2008.

[6] C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automaticallygenerating inputs of death. TISSEC, 12(2):10:1–10:38, 2008.

[7] E. M. Clarke, D. Kroening, and F. Lerda. A tool for checking ANSI-C programs. In Proc. TACAS2004, volume 2988 of LNCS, pages 168–176, 2004.

[8] L. Cordeiro, B. Fischer, and J. Marques-Silva. SMT-based bounded model checking for embeddedANSI-C software. In Proc. ASE 2009, pages 137–148, 2009.

[9] L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In Proc. TACAS 2008, volume 4963 ofLNCS, pages 337–340, 2008.

[10] L. de Moura and N. Bjørner. Generalized, efficient array decision procedures. In Proc. FMCAD2009, pages 45–52, 2009.

[11] S. Falke, F. Merz, and C. Sinz. A theory of C-style memory allocation. In Proc. SMT 2011, pages71–80, 2011.

[12] V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Proc. CAV 2007,volume 4590 of LNCS, pages 519–531, 2007.

[13] S. Ghilardi, E. Nicolini, S. Ranise, and D. Zucchelli. Decision procedures for extensions of thetheory of arrays. AMAI, 50(3–4):231–254, 2007.

[14] P. Habermehl, R. Iosif, and T. Vojnar. A logic of singly indexed arrays. In Proc. LPAR 2008,volume 5330 of LNCS, pages 558–573, 2008.

[15] P. Habermehl, R. Iosif, and T. Vojnar. What else is decidable about integer arrays? In Proc.FoSSaCS 2008, volume 4962 of LNCS, pages 474–489, 2008.

[16] J. Jaffar. Presburger arithmetic with array segments. IPL, 12(2):79–82, 1981.

[17] C. Lattner and V. S. Adve. LLVM: A compilation framework for lifelong program analysis &transformation. In Proc. CGO 2004, pages 75–88, 2004.

[18] P. Mateti. A decision procedure for the correctness of a class of programs. JACM, 28:215–232,1981.

[19] J. McCarthy. Towards a mathematical science of computation. In Proc. IFIP Congress 1962,pages 21–28, 1962.

[20] F. Merz, S. Falke, and C. Sinz. LLBMC: Bounded model checking of C and C++ programs usinga compiler IR. In Proc. VSTTE 2012, volume 7152 of LNCS, pages 146–161, 2012.

[21] C. Sinz, S. Falke, and F. Merz. A precise memory model for low-level bounded model checking.In Proc. SSV 2010, 2010.

[22] C. Sinz, F. Merz, and S. Falke. LLBMC: A bounded model checker for LLVM’s intermediaterepresentation (competition contribution). In Proc. TACAS 2012, volume 7214 of LNCS, pages542–544, 2012.

[23] A. Stump, C. W. Barrett, D. L. Dill, and J. R. Levitt. A decision procedure for an extensionaltheory of arrays. In Proc. LICS 2001, pages 29–37, 2001.

[24] N. Suzuki and D. Jefferson. Verification decidability of Presburger array programs. JACM, 27:191–205, 1980.

[25] M. Zhou, F. He, B.-Y. Wang, and M. Gu. On array theory of bounded elements. In Proc. CAV2010, volume 6174 of LNCS, pages 570–584, 2010.

106

An SMT-based Approach to Automated

Configuration

(Extended abstract)Raphael Michel

CETIC Research Center

Belgium

Arnaud HubauxPReCISE Research Center

University of Namur

Belgium

Vijay GaneshMassachusetts Institute

of Technology

USA

Patrick HeymansPReCISE Research Center

University of Namur

Belgium

Abstract

In this paper, we explore a novel application domain for SMT solvers: configurationproblems. Configuration problems are everywhere and particularly in product lines, wheredifferent yet similar products (e.g., cars or customizable software) are built from a sharedset of assets. Designing a product line requires enumerating the different product featuresand the constraints that determine their valid combinations. Various categories of con-straint solvers exist, but SMT solvers appear to be a solution of choice for configurationproblems. This is mostly due to their high efficiency and expressiveness which have alreadyproved useful in a variety of practical applications. In this paper, we recall what configu-ration problems are, describe a language to represent them, and map from configurationproblems to the satisfiability problem over SMT theories.

1 Variability Modelling and Configuration Problem

Product lines have become an integral part of modern industry, be it in the manufacturing, theservice or the software sectors [20]. Many kinds of products such as cars, insurance contractsor operating systems are developed as assemblies and customizations of reusable components,called configurations. Some configurations are valid, some are not, depending on numerousconstraints including physical, mechanical, business, legal and design constraints. Moreover,manufacturers have an economic incentive, often dubbed with a legal obligation, in makingsure that every possible configuration will result in a viable, safe, secure and useable product.Languages exist in which configuration problems can be encoded. These are often called vari-ability modeling languages. Software tools have been built to automate all sorts of reasoningon variability models so as to uncover errors and inconsistencies [2].

Cars are probably the most well-known example of a configurable product. Cars can beequipped with different types of engines, transmissions and gearboxes. Similarly, differentbodyworks (sedan, break, sport, cabriolet, etc.), paints, wheel types, and dozens of other op-tions are available for most recent models. When designing a new car model, the manufacturerhas to establish a list the various possible options and all the applicable configuration con-straints. Some options are obviously incompatible (e.g. a cabriolet cannot have a moonroof),but dependencies among certain options can be subtle (e.g. an integrated GPS requires a colorscreen, which in turn requires a multifunction steering wheel).

To build a car configurator similar to those found on the websites of car manufacturers, allthese constraints need to be taken into account in order to guarantee that the final configuration


An SMT-based Approach to Automated Configuration R. Michel et al.

will correspond to a car (1) that can actually be built and (2) that the manufacturer wishes tosell. When the variability model of a new car has been produced, the manufacturer can use itto verify properties of the products that can be derived, e.g., “Do all LPG cars also include aregular gas tank?”, “Is there any equipment presented to the buyer as an option that is in factavailable in all models by default anyways?”, etc.

Configurators are interactive software tools that record user choices and compute theirimplications automatically, e.g. update the price of the car, or automatically select / disablerelated options. For example, if the user selects ‘cabriolet’, the moonroof option should beeither hidden or grayed out. Some configurators even provide a short explanation telling whythe option is unavailable. All this needs to be done efficiently in order not to annoy users.

The aforementioned configurator features are often referred to as choice propagation andconflict explanation. Systematic solutions based on constraint solvers exist to handle theseproblems. However, constraint handling in configurators is still often developed in ad-hoc man-ner, i.e. without the help of a solver. This is time-consuming and error-prone. Moreover,maintaining ad-hoc configurators is difficult as the constraints evolve and these are often scat-tered in many different parts of the code.

Variability modelling languages can be seen as high-level constraint programming languagesthat address this challenge. They allow one to describe components and constraints in a declar-ative and natural way. Variability models are then handled by provably reliable constraintsolvers to check that the requested configurations are valid. Over the years, researchers havecome up with different approaches to that problem using different types of solvers (SAT, BDD,CSP, etc.) and techniques which we describe in the next section. To the best of our knowledge,SMT solvers have never been used for interactive configuration.

Most configuration problems are decisional, i.e., users have to decide whether a given optionshould be selected or not. However, sometimes configuration problems also involve objectivefunctions for optimizing a certain feature or attribute, e.g., minimize the memory footprint of anoperating system running on a mobile device. This paper only sets out to build the foundationfor SMT-based decisional configuration and leaves the possible extensions thereof (e.g., SMTwith optimization [19]) for future work.

2 Motivation for an SMT-based Approach

Over the years, different technologies have been studied to reason about configuration problems.The simplest forms of decisional configuration problems are defined as sets of binary de-

cisions governed by basic constraints such as implication and exclusion. Given their nature,these problems are usually modelled and encoded in plain propositional logic. As a result,their verification and the propagation of decisions during interactive configuration can be veryefficiently handled by modern SAT solvers [3].

However, casting configuration problems into purely Boolean formulas is often too restric-tive. Many problems actually impose constraints over integer, real or string types. Using thehigher expressiveness of constraint satisfaction problem solvers (CSPs) [22] is a very commonway to address this issue. Standard CSP solvers allow to use several variable types, includ-ing Boolean and numerical variables, but some also implement string constraints using regularexpressions [12].

Moreover, configuration problems often include variables which can either be activated ordeactivated depending on the value of other variables. This need led to the use of ConditionalCSPs [7]. Another extension to CSPs, called Generative CSP (GCSP) [7] handles the prob-lem differently by generating variables on the fly during the search process, allowing infinite

108


configurations to be constructed [1].Gebser et al. [10] and Friedrich et al. [8] proposed the use Answer Set Programming (ASP),

a technology very similar to SAT, based on the stable model semantics of logic programming.Several ASP solvers are based on SAT solvers (e.g. ASSAT [15], SModels-cc [18], and Sup) andothers like Clasp and CModels use well-known SAT solving techniques (e.g. Incremental SAT,nogoods, conflict driven). Despite their Boolean nature, their convenient prolog-like syntaxallows one to easily handle cardinalities (e.g.: 1a,b,c2 means that at least one and at most twoof the three variables must be true). Some ASP solvers like DLV and Clasp [11] also allow oneto perform optimizations (#minimize, #maximize).

Other techniques based on knowledge compilation have also been used to handle configura-tion problems effectively by trading space for performance. Binary Decision Diagrams (BDDs)are one such space efficient data-structure for handling Boolean models. BDDs can be efficientin certain cases where SAT solvers are not. However, beyond a certain threshold the size ofthe data structure produced during the compilation phase makes this approach intractable forlarge problems [16]. DNNF, much like BDD is a form of knowledge compilation [6]. BDDs area special case of DNNF. In their work on enumerating partial configurations, Voronov and al.also consider DNNF algorithms [23].

Dominant approaches to automated configuration are based on SAT, BDD and CSP solvers [22].In [21], Pohl et al. carried out a performance comparison of such solvers. They selected threedifferent solvers per category. Each solver had to complete a given set of operations on 90feature diagrams, the most common type of variability models. The largest model contained287 options. All these models were encoded in propositional logic. Without surprise, SATsolvers performed better for simple validation tasks whereas for more demanding operationssuch as product enumeration, differences are less clear. BDD solvers typically tend to performbetter on larger examples, for instance. Yet, for much larger models (2000+ options), Men-donca et al. [17] show that BDD solvers suffer from intractability while SAT solvers manageto successfully complete a satisfiability check. Regarding expressiveness, SAT is limited due toits Boolean-only nature. CSP-based approaches offer more expressiveness and support variousdata types, but they are usually less efficient.

Since SMT solvers are often SAT-based, our working hypothesis is that an SMT-basedapproach will retain the efficiency of modern SAT solvers while being much more expressive.Xiong et al. [24], for instance, have already demonstrated the applicability and high efficiencyof SMT for conflict resolution in software configuration. Besides performance, the authorschose to use an SMT solver for its higher expressiveness. Indeed, to apply their approach tooperating system configuration, support for arithmetic, inequality, and string operators wasrequired. In [4], Bofill and Palah compare CSP and SMT solvers for a variety of practicalapplications and show that most of the time SMT solvers are faster. Hence, we propose a novelconfiguration approach whose reasoning engine builds upon an SMT solver.

3 Modeling a Configuration Problem: The Audi Example

Software engineers rarely encode configuration options and their constraints in a solver-processableformat such as SMT-Lib. They rather use higher-level languages like variability models, whichare then translated into some solver format. Before delving into this translation, let us firstintroduce the basic building blocks of a variability model on a concrete example: The Audi carconfigurator.

Audi is a German car manufacturer. Nowadays, Audi offers 12 different model lines, eachavailable in different body styles with different engines and equipment. We present in Listing 1 a

109


variability model that contains a sample of all the options available in the Audi car configurator.1

This model is written in TVL [5], a text-based feature modeling language. TVL may be seenas the last generation of feature diagrams (FD), a notation first introduced in [13]. FDs arenow the de facto standard variability modelling language. They are usually depicted as treesand capture the commonalities and differences among products in a product family.

Listing 1: Sample TVL model of the Audi car configurator.

1 root AudiCar group allof ModelLine, BodyStyle, Engine, Exterior, Model 2

3 ModelLine 4 group oneof 5 AudiA4 AudiA4 -> (A4Saloon || A4Avant || S4Saloon || S4Avant) ,6 AudiA6 AudiA6 -> (A6Saloon || A6Avant) 7 8

9 BodyStyle 10 group oneof 11 Saloon Saloon -> (A4Saloon || S4Saloon || A6Saloon) ,12 Avant Avant -> (A4Avant || S4Avant || A6Avant) 13 14 Engine group allof WheelDrive, DriveTrain 15

16 WheelDrive group oneof Quatro, FrontWheelDrive, RearWheelDrive 17

18 DriveTrain group oneof Automatic, Manual, STronic 19

20 Gas group oneof Diesel, Petrol 21

22 Exterior23 group allof24 Color,25 Wheel,26 opt ExteriorPackage group someof BlackStyling, ContrastRoof 27 28 29

30 Color group oneof Metallic, PearlEffect, Other 31

32 Wheel33 group allof34 Size enum size in s15, s16, s17, s18, s19, s20 ,35 TypeWheel36 37 38

39 TypeWheel group oneof Spoke5, Spoke6, Harm7, Hole6 40

41 Model group oneofA4Saloon, A4Avant, S4Saloon, S4Avant, A6Saloon, A6Avant

In Listing 1, the root of the FD is labelled AudiCar and has four child features: ModelLine,BodyStyle, Engine, and Exterior (line 1). The selection of these child features is determined bythe operator allof (and -decomposition), which means that all the features must be selected;they are thus mandatory. Each of these features is then further refined in the rest of the model.

The ModelLine (line 3), for instance, has two child features (AudiA4 and AudiA6 ) whoseselection is determined by the oneof operator (xor -decomposition) at line 4. This operatormeans that one and only one of the child features can be selected. Each of its child featuresfurther constrains the selection of possible options. For instance, the selection of the AudiA6implies the selection of the A6Saloon or A6Avant bodystyle (line 6). Such constraints are calledcrosscutting constraints.

The Exterior feature (line 22) introduces two new concepts. First, its child feature Exte-riorPackage is preceded by the keyword opt which means that the feature is optional. The

1http://configurator.audi.co.uk/

110

http://configurator.audi.co.uk/


children of this feature are determined by the someof operator (or -decomposition), whichmeans that at least one option must be selected. TVL also supports generic cardinalities (notillustrated here) of the form [i..j], where i is the minimum number of selectable features and jthe maximum.

Finally, the Size feature of Wheel (line 34) adds another important concept: the attribute.In this example, the type of the attribute size is an enumeration of values which denotes thepossible wheel sizes. In other words, the value of size must be one of those listed in theenumeration. Note that this is only one possible type of attributes. An attribute can also be aBoolean, an integer or a string. Furthermore, constraints over these attributes can be definedand include arithmetic (e.g., + or −), comparison (e.g., ≤ or ≥), and aggregation (e.g., min ormax ) operators.

Armed with this intuitive understanding of FDs, we are now set to formally define theirfundamentals and their translation into an SMT problem.

4 Feature Diagram Language

TVL provides a concrete syntax for the FD language we use. However, to properly define thetranslation of TVL into a solver format, we need a mathematical definition of the underlyingconcepts, irrespective of the concrete representation. In this section, we thus recall the essenceof the abstract syntax of TVL from [5]. It will be useful to understand the translation presentedin the next section. For brevity, here we do not present the formal semantics but the interestedreader can refer to [5]

From an abstract point of view, any FD can be seen as a tree of features, containing a singleroot, and where each feature is decomposed in one or more features, except for the leaves.Features can be labeled as optional and cardinalities can be used to define the decompositiontype of a feature. Features can also have attributes. Attributes of features can be of differenttypes: Boolean, numerical or “enum” (one value among a set of values). As we said previously,FDs are trees, in which features can have “children” features, and a “parent” feature (exceptfor the root). In this context, a “justification rule” stipulates that if a feature is included in theproduct, then its parent feature must also be included. Then the translation will include thefollowing implication : B ⇒ A

Definition 1 (Syntactic domain LFD (Adapted from [5])).

A TVL model d ∈ LFD is a tuple (F, r, ω,DE, λ,A, ρ, τ, V, ι,Φ) such that:

• F is the (non empty) set of features (nodes).

• r ∈ F is the root.

• ω : F → 0, 1 labels optional features with a 0.

• DE ⊆ F × F is the decomposition relation between features which forms a tree. Forconvenience, we will use children(f) to denote g | (f, g) ∈ DE, the set of all directsub-features of f , and write n→ n′ sometimes instead of (n, n′) ∈ DE.

• λ : F → N × N indicates the decomposition type of a feature, represented as a cardinal-ity [i..j] where i indicates the minimum number of children required in a product and jthe maximum. Note that and-, or-, and xor-decompositions are particular cases of car-dinalities. For f ∈ N , they are respectively represented by [n..n], [1..n], and [1..1], wheren = |children(f)|.

111


• A is the set of attributes.

• ρ : A→ F is a total function that gives the feature declaring the attribute.

• τ : A→ int, enum, bool assigns a type to each attribute.

• V is the set of possible values for enumerated attributes.

• ι : a ∈ A|τ(a) = enum → P(V ) defines the domain of each enum.

• Φ is a formula that captures crosscutting constraints. Without loss of generality, weconsider Φ to be a conjunction of formulae on features and attributes.

Furthermore, each d ∈ LFD must satisfy the following well-formedness rules:

• r is the root: ∀f ∈ F (@f ′ ∈ F • f ′ → f)⇔ f = r,

• DE is acyclic: @f1, .., fk ∈ F • f1 → ..→ fk → f1,

• Leaves are 〈0..0〉-decomposed.

• Except for the root, each node has a single parent: ∀f ∈ F \ r : ∃!f ′ ∈ F • f ′ → f

Constraints found in FDs are Boolean expressions over features and attributes that mustremain true. These expressions include common Boolean operators (and, or, not, xor, implies).Common arithmetic operators are also available for numerical attributes (“+””, “-”, “*”, “/”,“abs”, “≤”, “≥”, “<”, “>”, “==”, “!=”). Comparison operations yield Boolean results thatcan be combined using the Boolean operators. These expressions are rather straightforward totranslate to their equivalent in the solver’s input language.

In abstract syntax form, the Audi example from Listing 1 becomes:

F = AudiCar,ModelLine,BodyStyle,Engine,Exterior, . . . r = AudiCarω(AudiCar) = 1, ω(ModelLine) = 1, . . . , ω(ExteriorPackage) = 0, . . .(AudiCar,ModelLine) ∈ DE, (AudiCar,BodyStyle) ∈ DE, . . . , (ModelLine,AudiA4) ∈ DE, . . .λ(AudiCar) = [4..4], λ(ModelLine) = [1..1], . . . , λ(ExteriorPackage) = [1..2], . . .A = sizeρ(size) = Sizeτ(size) = enumV = s15, s16, s17, s18, s19, s20ι(size) = s15, s16, s17, s18, s19, s20Φ = AudiA4⇒ (A4Saloon ∨A4Avant ∨ S4Saloon ∨ S4Avant)∧

AudiA6⇒ (A6Saloon ∨A6Avant)∧Saloon⇒ (A4Saloon ∨ S4Saloon ∨A6Saloon)∧Avant⇒ (A4Avant ∨ S4Avant ∨A6Avant)

5 Details of the translation from FD to STP

Features, attributes, and constraints over them are the core of an FD. In this section, wepresent how these constructs are translated into the STP SMT solver’s input language [9].STP is a state-of-the-art SMT solver for a quantifier-free theory of bit-vectors and arrays. Thetranslation from constructs of the FD language (see Definition 1) to STP is described in Table1.

F , the set of all features defined in the FD is encoded into an array of one-bit bitvectors,where each entry (or index) into the array represents a feature. If the bitvector corresponding

112


Table 1: Mapping from FDs to STP

FD construct STP Equivalent Comment

F : set of features F: ARRAY BITVECTOR(N) N = log(|F |)OF BITVECTOR(1) Every feature in F

is an entry inthe array F

r ∈ F r: BITVECTOR(N) Root feature r of Findexes the zerothposition of array F

ω : i|i ∈ F ASSERT(F[i] = 0bin1) The ith feature in Fis not optional

(f, g) ∈ F f,g : BITVECTOR(N) Features f, g areconverted intoindices into array F

For every pair (f, g) ∈ DE ASSERT( (F[g] = 0bin1) ⇒ (F[f] = 0bin1)) f is a parentof feature g

(f, lo, hi) ∈ λ means∀i ∈ [1, k] : (f, gi) ∈ DE ASSERT(lo ≤ F [g1] + F [g2] + ...+ F [gk] ≤ hi) The cardinality of

the set of features giis between lo and hi

for every attribute a of type int a : BITVECTOR(N) Attributes areover finite range bitvectors

Arithmetic and logic Arithmetic and logic Translation isoperations over attributes operations over corresponding bitvectors straightforward

For each pair (feature,attribute) M: ARRAY BITVECTOR(L) Feature hasOF BITVECTOR(1) attribute i

ASSERT(M[i] = 0bin1)

Constraints over Constraints over Translation isfeatures and attributes corresponding bitvectors and arrays straightforward

to a feature equals 1, then the feature is included in the FD. Only log(|F |) bits are required

113


to address this array since any index can be encoded in binary notation. The index of theroot feature, named r, is kept in a separate bitvector, of size log(|F |), the same size as anyother index. Optional and mandatory features are addressed through the set ω. ω containsall mandatory features, those that are not optional. For each of these features, we force thecorresponding bitvector in the array F to be equal to 1, meaning that the feature is includedin the product.

FD’s are represented as trees. Features have a parent feature (except for the root) and canhave children features. Each feature is represented by its index into the F array. Concretely,features are converted to bitvectors of size log(|F |). When a feature is included, its parent mustbe included as well. This constraint is translated by a group of “assert” statements, each ofwhich handles a pair of features (f, g) where f is the parent of g. If g is included in the productthen f must be included as well, meaning that if the gth element of F equals 1, then the f th

element must also be equal to 1.The set of children of a feature form a group, with which a cardinality can be associated,

indicating the number of features in F that can be selected. This cardinality is the sum ofthe corresponding bitvectors in F and must be between the bounds of the cardinality. This iscaptured by an inequality as shown in Table 1.

Attributes of features are encoded as bit-vector variables whose size depends on the type ofthe attribute. All the common arithmetic and logic operations on attributes have a straight-forward translation to their corresponding operation on bitvectors. Attributes and features areconnected using arrays indexed by bit-vectors of suitable length and whose entries are one bitbit-vectors. Each such array corresponds to a feature, and each index in the array correspondsto an attribute. If the ith bitvector of an array equals to 1, then the corresponding feature hasthe ith value of the corresponding attribute. Note that we assume here that all attributes canbe linearly ordered. Finally, additional FD constraints over features and attributes are usually(in)-equality comparisons indicating presence or absence of an attribute or feature. Addition-ally there can be numeric constraints. All such constraints have a straightforward translationto STP constraints over the corresponding bitvectors and arrays.

6 Preliminary Results

In this section we provide some preliminary results of the STP-based interactive configurationtool that we are developing.

6.1 Benchmarks

We developed the following benchmarks to evaluate our hypothesis: a configuration problemfor the Audi car product line and another for the Skoda car product line. The Audi TVLsample was built from their online car configurator2. It contains the most common optionsavailable including engines, wheels, infotainment, navigation, etc. We also added constraintsamong these options such as those described in Section 1. We did a similar exercise with theSkoda car configurator3. The TVL models of the Audi and Skoda car configurators respectivelycontain 154 and 253 features with 67 and 179 constraints. In both cases cases, most of theseconstraints (135 for the Audi example and all for the Skoda example) were expressed in plainpropositional logic.

2http://configurator.audi.co.uk/3http://www.skoda.co.uk/

114

http://configurator.audi.co.uk/

http://www.skoda.co.uk/


6.2 Experimental Setup

All experiments were performed on a MacBook Pro 2.4 GHz, 64 bit and 4 GBytes of RAM. Thetranslation from our FD language to STP is written in Java. We compared performance resultsbetween a SAT (CryptoMiniSAT [14]) and an SMT solver (STP). The TVL models were firsttranslated to their equivalent form in STP’s input language. Then we compared the performanceof the SMT solver using the command stp -t (-t tells stp to output the execution time)against the performances of CryptoMiniSAT, STP’s default backend SAT solver, using stp -t-r -a -w. These switches on the command line disable the optimisations and simplificationsperformed by STP before running CryptoMiniSAT.

6.3 Results and Discussion

STP is approximately twice as fast as pure SAT on our benchmarks. We note that theseexamples are relatively simple, and as we move to more complex applications we expect SMTsolvers to outperform SAT by a significant margin. We are in the process of translating manyother configuration problems into SMT problems that are far more complex. For these smallmodels which are mostly Boolean, we observe no significant difference (no more than 2X)between the execution times of STP with and without SMT optimizations. For Boolean models,using an SMT solver offers more expressiveness without additional performance cost.

7 Conclusions and Future Work

In this paper, we proposed a new application for SMT solvers: the configuration problem. Whilethe problem of configuration has already been studied for years using SAT and CSP solvers,each of these solvers have certain limitations which motivate our work. In particular, whileSAT solvers are very efficient, their input language is not expressive enough for many kinds ofconfiguration problems. On the other hand, CSP solvers have expressive input languages butare not as efficient as SAT solvers.

SMT solvers, a new breed of solvers, are efficient and expressive for many practical ap-plication including configuration problems and hence can be a viable alternative to SAT andCSP solvers. What we reported here is preliminary work on using SMT solvers for solvingconfiguration problems. Specifically, we present a mapping from TVL, a modern variabilitymodelling language, to STP, our SMT solver of choice. Future work will include: (1) Describ-ing how we interact with an SMT solver to perform other interactive configuration tasks suchas propagating user choices or explaining conflicts and providing alternatives to solve them;(2) Validating our claim that SMT solvers are more efficient than other types of solvers withsimilar expressiveness.

References

[1] M. Aschinger, C. Drescher, and G. Gottlob. Introducing loco, a logic for configuration problems.In Proceedings of the 2nd Workshop on Logics for Component Configuration (LoCoCo’11), pages36–45, Perugia, Italy, 2011.

[2] D. Benavides, S. Segura, and A. Ruiz-Cortes. Automated analysis of feature models 20 years later:A literature reviews. Information Systems, 35(6), 2010.

[3] A. Biere, M. Heule, H. van Maaren, and T. Walsh, editors. Handbook of Satisfiability, volume 185of Frontiers in Artificial Intelligence and Applications. IOS Press, 2009.

115


[4] M. Bofill, M. Palahı, J. Suy, and M. Villaret. SIMPLY: a Compiler from a CSP Modeling Languageto the SMT-LIB Format. In Proceedings of the 8th International Workshop on Constraint Modellingand Reformulation (ModRef’09), pages 30–44, Lisbon, Portugal, 2009.

[5] A. Classen, Q. Boucher, and P. Heymans. A text-based approach to feature modelling : Syntaxand semantics of TVL. Science of Computer Programming, 76:1130–1143, 2011.

[6] A. Darwiche. Compiling knowledge into decomposable negation normal form. In Proceedings of the16th international joint conference on Artifical intelligence - Volume 1 (IJCAI’99), pages 284–289,Stockholm, Sweden, 1999. Morgan Kaufmann Publishers Inc.

[7] G. Fleischanderl, G. E. Friedrich, A. Haselbock, H. Schreiner, and M. Stumptner. Configuringlarge systems using generative constraint satisfaction. IEEE Intelligent Systems, 13:59–68, July1998.

[8] G. Friedrich, A. A. Falkner, A. Haselbock, G. Schenner, H. Schreiner, and S. A. G. Osterreich.( Re ) configuration using Answer Set Programming. In Proceedings of the 12th Workshop onConfiguration (ConfWS’11), pages 26–35, Barcelona, Spain, 2011.

[9] V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Proceedings of the19th international conference on Computer Aided Verification (CAV’07), pages 519–531, Berlin,Germany, 2007. Springer-Verlag.

[10] M. Gebser, R. Kaminski, and T. Schaub. aspcud: A Linux Package Configuration Tool Basedon Answer Set Programming. In Proceedings of the 2nd Workshop on Logics for ComponentConfiguration (LoCoCo’11), pages 12–25, Perugia, Italy, 2011.

[11] M. Gebser, B. Kaufmann, and T. Schaub. The conflict-driven answer set solver clasp: Progressreport. In Proceedings of the 10th International Conference on Logic Programming and Nonmono-tonic Reasoning (LPNMR’09), pages 509–514, Potsdam, Germany, 2009. Springer-Verlag.

[12] K. Golden and W. Pang. Constraint reasoning over strings. In Proceedings of the Ninth Interna-tional Conference on Principles and Practice of Constraint Programming (CP’03), pages 377–391,Kinsale, County Cork, Ireland, 2003. Springer-Verlag.

[13] K. Kang, S. G. Cohen, J. A. Hess, W. E. Novak, and A. S. Peterson. Feature-Oriented DomainAnalysis (FODA) Feasibility Study. Technical report, Software Engineering Institute, CarnegieMellon University, 1990.

[14] O. Kullmann, editor. Theory and Applications of Satisfiability Testing - SAT 2009, 12th Interna-tional Conference, SAT 2009, Swansea, UK, June 30 - July 3, 2009. Proceedings, volume 5584 ofLecture Notes in Computer Science. Springer, 2009.

[15] F. Lin and Y. Zhao. Assat: computing answer sets of a logic program by sat solvers. Artif. Intell.,157(1-2):115–137, 2004.

[16] M. Mendonca and A. Wasowski. SAT-based analysis of feature models is easy. In Proceedingsof the 13th International Software Product Line Conference, pages 231–240, San Francisco, USA,2009. Carnegie Mellon University.

[17] M. Mendonca. Efficient reasoning techniques for large scale feature models. PhD thesis, 2009.

[18] I. Niemela, P. Simons, and T. Syrjanen. Smodels: A system for answer set programming. CoRR,cs.AI/0003033, 2000.

[19] R. Nieuwenhuis and A. Oliveras. On SAT Modulo Theories and Optimization Problems. InA. Biere and C. P. Gomes, editors, Proceedings of the 9th International Conference on Theoryand Applications of Satisfiability Testing (SAT’06), volume 4121 of Lecture Notes in ComputerScience, pages 156–169. Springer, 2006.

[20] K. Pohl, G. Bockle, and F. J. van der Linden. Software Product Line Engineering: Foundations,Principles and Techniques. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2005.

[21] R. Pohl, K. Lauenroth, and K. Pohl. A performance comparison of contemporary algorithmicapproaches for automated analysis operations on feature models. In Proceedings of the 26thIEEE/ACM International Conference on Automated Software Engineering (ASE’11), ASE ’11,pages 313–322, Washington, DC, USA, 2011. IEEE Computer Society.

116


[22] F. Rossi, P. v. Beek, and T. Walsh. Handbook of Constraint Programming (Foundations of ArtificialIntelligence). Elsevier Science Inc., New York, NY, USA, 2006.

[23] A. Voronov, K. A kesson, and F. Ekstedt. Enumeration of valid partial configurations. In Pro-ceedings of the 12th Workshop on Configuration (ConfWS’11), pages 25–31, Barcelona, Spain,2011.

[24] Y. Xiong, A. Hubaux, S. She, and K. Czarnecki. Generating range fixes for software configuration.In Proceedings of the 34th International Conference on Software Engineering (ICSE’12), Zurich,Switzerland, 2012. IEEE Computer Society. (To appear).

117

Anatomy of Alternating Quantifier Satisfiability

(Work in progress)

Anh-Dung PhanTechnical University of Denmark


David MonniauxVerimag

Abstract

We report on work in progress to generalize an algorithm recently introduced in [10]for checking satisfiability of formulas with quantifier alternation. The algorithm uses twoauxiliary procedures: a procedure for producing a candidate formula for quantifier elimina-tion and a procedure for eliminating or partially eliminating quantifiers. We also apply thealgorithm for Presburger Arithmetic formulas and evaluate it on formulas from a modelchecker for Duration Calculus [8]. We report on experiments on different variants of theauxiliary procedures. So far, there is an edge to applying SMT-TEST proposed in [10],while we found that a simpler approach which just eliminates quantified variables perround is almost as good. Both approaches offer drastic improvements to applying defaultquantifier elimination.

1 Introduction

Can formulas with nested quantifiers be checked effectively for satisfiability? Several algorithmsexist in the context of Quantified Boolean Formulas that handle alternation of quantifiers [12, 1].They are specialized for eliminating variables over Booleans. An algorithm for alternating quan-tifier satisfiability was given in [10] for the case of linear arithmetic over the Reals. It integratestightly an All-SMT loop and projection based on Fourier-Motzkin elimination or Chernikov pro-jection. A question arises whether the ideas lift to other projection procedures. Also, are therereasonable alternatives to All-SMT and how do they compare? This ongoing work presents ageneralized algorithm of that presented in [10] which abstracts the auxiliary procedures. Weinstantiate the generalization to projection functions based on virtual substitutions, i.e. substi-tution methods that replace quantifiers by disjunctions of bounded variables. The specializationis for Linear Integer Arithmetic based on Cooper’s procedure and used for formulas that arisefrom Duration Calculus Model Checker (DCMC).

Linear Integer Arithmetic (LIA) or Presburger Arithmetic, introduced by Mojzaesz Pres-burger in 1929, is a first-order theory of integer which accepts + as its only operation. A classicexample of representing some amount of money by 3-cent coins and 5-cent coins appears in LIAas follows:

∀z (z ≥ 8→ ∃x ∃y (3x + 5y = z))

After Presburger proved decidability of LIA [14], LIA attracted a lot of attention due toapplications in different areas. Cooper’s algorithm [4] is a substitution-based decision procedure.The Omega Test is a projection-based decision procedure for LIA and employed in dependenceanalysis of compilers [13]. A variant that integrates elements from both Cooper’s method andthe Omega Test is implemented in Z3 [2]. While Z3 can handle non-trivial LIA problems,applications from DCMC also expose limitations of using quantifier elimination alone. Thetime complexity of all procedures for Presburger Arithmetic is high. Let n denote the length ofa LIA formula; running time of any decision procedure is at least 22

cn

for some constant c > 0

[6]. Moreover, Oppen proved a triply exponential upper bound 222cn

for worst-case runningtime of Cooper’s algorithm [11].


Anatomy of Alternating Quantifier Satisfiability A.-D. Phan, N. Bjørner, D. Monniaux

This paper is organized as follows. Section 2 presents the generalized algorithm with a fewsupporting procedures. Section 3 presents different methods for producing candidate formulas.Section 4 instantiates the algorithm with a concrete procedure for virtual substitutions. Wediscuss implementation details and benchmarks in Section 5 and Section 6 concludes the paper.

2 Alternating Quantifier Satisfiability

This section develops an algorithm that is an abstraction of the alternating quantifier satisfiabil-ity algorithm presented for Linear Real Arithmetic in [10]. The abstraction is formulated suchthat various quantifier elimination methods can be plugged in, including virtual substitutions.

2.1 Definitions

The algorithm being developed relies on two procedures for extrapolation and projection. Wefirst describe the requirements for these procedures and discuss the main algorithm later.

Definition 1 (Extrapolant). Given two formulas A and B, a formula C is an extrapolant ofA and B if the following conditions are satisfied:

A ∧B is unsat then C = falseA ∧B is sat then A ∧ C is sat, ¬B ∧ C is unsat

We use 〈A, B〉 to denote an extrapolant.

Extrapolation is typically understood as finding new data points outside a set of existingpoints. Intuitively, C has empty intersection with ¬B and non-empty intersection with A.There are many possible extrapolants for each pair of formulas, and the definition here doesnot specify how to compute an extrapolant. An example of a trivial extrapolant is described inthe following procedure: when A ∧B is satisfiable we can take B as an extrapolant, otherwisetake false.

Definition 2 (Projection πx.(C|M)). Let M and C be quantifier-free formulas where variable xonly occurs in C (x /∈ FV (M) where FV (M) denotes the set of free variables in M). AssumeC ∧ M is satisfiable. A projection procedure πx.(C|M) computes a quantifier-free formulasatisfying the conditions:

1. FV (πx.(C|M)) ⊆ FV (C) \ x

2. πx.(C|M) is sat

3. (M ∧ πx.(C|M))→ ∃x C

Similar to extrapolation we only gave the conditions that projection functions have to satisfyfor the developing algorithm to be sound. There is a choice of algorithms for implementingπx.(C|M). A possible way is to use virtual substitutions, where we derive a quantifier-freeformulas by substituting variables by one or more disjunctions. Virtual substitutions will bepresented with more details in Section 4.

2.2 Quantifier Test: algorithm QT

QT is defined as a recursive function in Algorithm 1. The four arguments of QT can beexplained in the following way: C is a context formula which reflects collected information at

119


Algorithm 1: QT (i, C, x, M)

if C ∧M i is unsat thenreturn (false, M)

endif i = n then

return (〈C, M i〉, M)end

(C ′, M ′)←QT (i+ 1, 〈C, M i〉, x, M);if C ′ = false then

return (〈C, M i〉, M ′)end

M ′′k ← M ′k, ∀ k 6= i;M ′′i ← M ′i ∧ ¬(πxi.(C

′|M ′i));return QT (i, C, x, M ′′);

Algorithm 2: QE(x, Fn)

Mk ← true, ∀ k < n;Mn ← Fn;C ← false;C ′ ← true;while C ′ 6= false do

(C ′, M)← QT (1, ¬C, x, M);C ← C ∨ C ′;

endreturn C;

current iteration; x and M are vectors of quantified variables and formulas respectively, and iis the index to access current elements in the above vectors. We use the notation M i to referto the i-th element of vector M and imply the same notation for other vectors.

Given any nested quantified formula F 1 in the form of Q1x′1Q2x

′2...Qkx

′k F

′ where Qi ∈∀, ∃ and F ′ is a quantifier-free formula, we can convert F 1 into a form of ∀x1¬∀x2...¬∀xn¬Fnwhere Fn is also quantifier-free. This leads to a sequence of formulas F i such that: F i ≡∀xi¬F i+1 for i < n. Before QT is called, the initial values of M i are initialized to true fori < n and Mn is initialized to Fn, The final value of M1 is false if and only if F 1 is unsatisfiable.

Theorem 1 (Partial Correctness). Assume C is satisfiable. The algorithm QT (i, C, x, M)returns a pair of the form (C ′, M ′) where C ′ is an extrapolant of 〈C, F i〉.

We do not provide a detailed proof, but we briefly discuss correctness and the invariant F i VM i, that are mutually inductive. The main idea is that F i VM i holds for the initialization stepfor QT, and F i ⇒ ¬(πxi.(C

′|M i)) also holds for each QT iteration; therefore, we strengthenM i in the end of QT and preserve the invariant at the same time. The if branches of QTreturn 〈C, M i〉 when M i cannot be strengthened any more. Moreover, QT also ensures that〈C, M i〉 ∧ F i is unsat. Therefore, the last 〈C, M i〉 (corresponding to the strongest version ofM i) is also an extrapolant of 〈C, F i〉.Termination: Algorithm QT does not terminate for arbitrary instantiations of projection andextrapolation. The projection and extrapolation operators we examine here are well-behaved(with respect to termination) in the following sense: (1) The extrapolation procedures do notintroduce new atoms, so there will be only a finite number of new extrapolants one can make.(2) The projection procedures are also finitary: they produce only a finite set of projections forthe case of linear arithmetic.

2.3 Quantifier Elimination: algorithm QE

A quantifier-free version of F 1 is obtained by executing QT until saturation in Algorithm 2.The algorithm initializes a vector of formulas M and strengthens these formulas as much as

120


possible in a loop.The intuition of QE is described as follows:

• Run QT (1, ¬false, x, M), we obtain a formula C1 where C1 V F 1.

• Execute QT (1, ¬C1, x, M), we get C2, a disjoint formula of C1, where C2 V F 1.

• Run QT (1, ¬(C1 ∨ C2), x, M), we obtain a next formula C3 where C3 V F 1.

• When QT (1,¬C, x, M) returns false, we get C as a disjunction of disjoint formulaswhere C ≡ C1 ∨ C2 ∨ ... ∨ Ck and C V F 1.

2.4 Algorithm QT by example

We use a small example to illustrate the algorithm QT :

∀y ∃z (z ≥ 0 ∧ ((x ≥ 0 ∧ y ≥ 0) ∨ −y − z + 1 ≥ 0)) (1)

The formulas corresponding to (1) are:

F 1 = ∀y ¬F 2, F 2 = ∀z ¬F3, F 3 = z ≥ 0 ∧ ((x ≥ 0 ∧ y ≥ 0) ∨ −y − z + 1 ≥ 0)

and quantifiers are:x1 = y, x2 = z

Algorithm QT also maintains formulas M1,M2 and M3 that are initialized as follows:

M1 = true, M2 = true, M3 = F 3 = z ≥ 0 ∧ ((x ≥ 0 ∧ y ≥ 0) ∨ −y − z + 1 ≥ 0)

It maintains the invariants:

F i VM i, FV (M i) ⊆ x1, . . . , xi−1 for i = 1, 2, 3 (2)

Finally, the algorithm propagates a context formula Ci between levels. The context formula isupdated during propagation. When Ci is propagated from level i to i+ 1 or i− 1, it results ina formula (Ci+1 or Ci−1) that has non-empty intersection with Ci and is implied by M i. Thisformula is an extrapolant of Ci and M i as defined in Definition 1. The extrapolant Ci on leveli satisfies:

FV (Ci) ⊆ x1, . . . , xi−1 (3)

It contains only variables that are free above level i.Let us run QT on the sample formula. In the initial state, vector M = 〈true, true, F 3〉, C1 =

true, i = 1.

1. C1∧M1 is true ∧ true. It is satisfiable, so let us choose an extrapolant C2 for C1 and M1.C2 := true is an extrapolant because C1 ∧C1 is satisfiable and ¬M1 ∧C2 is unsatisfiable.Set i := 2.

2. C2 ∧M2 is also satisfiable and similarly we set C3 := true, i := 3.

3. C3 ∧M3, which is C3 ∧ F 3, is satisfiable as well. In this case we will propagate back tolevel 2 a formula that intersects with C3 and implies F 3. So let us return C3 := z ≥0 ∧ x ≥ 0 ∧ y ≥ 0 and update the level i := 2.

121


4. Now F 2 ≡ ∀z.¬F 3 implies that ∀z.¬C3 ≡ ¬∃z.C3. So we can strengthen M2 with thenegation of any formula that implies ∃z.C3. This is a projection as denoted by the notationπz.(C3|M2) in Definition 2. It can take the current state of M2 into account. In this casewe set πz.(C3|M2) to x ≥ 0 ∧ y ≥ 0 and update M2 := ¬(x ≥ 0 ∧ y ≥ 0).

5. C2∧M2, which is ¬(x ≥ 0∧y ≥ 0), remains satisfiable. Let us set C3 := ¬(y ≥ 0), i := 3.C3 satisfies the conditions for being an extrapolant.

6. C3∧M3 (= C3∧F 3) is still satisfiable. We return the extrapolant C3 := z ≥ 0∧−y−z+1 ≥0 and set i := 2.

7. The formula y ≤ 1 implies ∃z.C3 (they are actually equivalent), so we can update M2 :=M2 ∧ ¬(y ≤ 1) and maintain the invariant F2 VM2. Let us simplify M2, ¬(x ≥ 0 ∧ y ≥0) ∧ ¬(y ≤ 1), to x < 0 ∧ y > 1.

8. At this point M2 implies x < 0. So the next extrapolant C3 will also imply x < 0.However, M3 cannot be satisfiable with C3. We are done with level 3 and return false tolevel 2. In response, level 2 propagates the extrapolant C2 := (x < 0 ∧ y > 1) up to level1.

9. Similar to step 4, F 1 ≡ ∀y.¬F 2 implies that ∀y.¬C2 ≡ ¬∃y.C2. So if we take πy.(C2|M1)to be x < 0, then we can update M1 := ¬(x < 0), which is x ≥ 0.

10. At this point let us check the levels below using x ≥ 0. Then M2 ∧ x ≥ 0 is unsatisfiable,so there is no refinement under this assumption. Return false to level 1. Level 1 is done,and we conclude the formula is satisfiable and an output quantifier-free formula is x ≥ 0.

3 Extrapolation

A trivial extrapolant has been described in Section 2.1. We will here discuss two other versionsof computing extrapolants 〈A,B〉.

3.1 SMT-TEST

The approach used in [9, 10] is to enumerate conjunctions of literals that satisfy A ∧ B. Sup-pose L := `1, . . . , `n are the literals in the satisfying assignment for A ∧ B. An extrapolantis the intersection of L and an unsatisfiable core of L ∧ ¬B. Our implementation of SMT-TEST extrapolation is using a single satisfiability check to extract a (not necessarily minimal)unsatisfiable core.

3.2 NNF strengthening

NNF strengthening is a process of deriving a stronger formula by replacing literals by false.We start with a formula C which is a transformation of B to NNF. For each literal in C in order,replace that literal by false and check the conditions for extrapolation so that ¬B∧C is unsatand A ∧ C is sat. The first check is redundant (which holds by construction) and the secondis not redundant. An extrapolant C = 〈A, B〉 is computed according to Algorithm 3. NNFstrengthening gives us stronger formulas which potentially help reduce the number of iterationsin procedure QT. We currently check satisfiability in each round during NNF strengthening.Another approach is to evaluate C[l/ false] using a model for C.

122


Algorithm 3: NNF extrap-olantC ← NNF (B);foreach literal ` ∈ C do

C ′ ← C[l/ false];if A ∧ C ′ is sat then

C ← C ′

end

endreturn C

4 Projection specialized to LinearInteger Arithmetic

We are here interested in LIA since LIA decision proce-dure is used as the core of DCMC and plays a central rolein feasibility of the model-checking approach [8]. Dura-tion Calculus (DC) is an extension of Interval TemporalLogic with the notion of accumulated durations allowingsuccinct formulation of real-time problems. Chop (_) isthe only modality appearing in DC; however, the model-checking problem in DC is transformed to satisfiability-

checking of a LIA formula in size exponential to the chop-depth [7].Cooper’s algorithm for Presburger Arithmetic corresponds to quantifier elimination using

virtual substitutions, and besides SMT-TEST for extrapolation we also consider strengtheningformulas in negation normal form (NNF) by replacing literals by false. Virtual substitutionmethods work directly on formulas in NNF, so SMT-TEST is potentially not required.

4.1 Virtual substitutions

Virtual substitutions on LIA are performed by means of Cooper’s algorithm. The algorithmremoves quantifiers in the inside-out order using the following transformation:

∃x. φ ⇐⇒ φ[>/ax < t, ⊥/ax > t] ∨δ∨

i=1

∨ax<t

φ[t + i/ax] ∧ δ′ | t + i

where δ is the least common multiple of all divisors d in divisibility constraints d | t and δ′ isthe least common multiple of all coefficients a in comparison constraints ax ./ t where a > 0and ./ ∈ <,≤,=,≥, >.

A quantified formula is transformed to a disjunction by a series of substitution steps. Thedisjunction can be represented symbolically (it corresponds to an existential quantifier over afinite domain) and may contain redundant disjuncts. The new divisibility constraint δ′ | t + icould be replaced by many divisibility constraints of small divisors a in each substitution. Inthis setting, smaller divisors of inner formulas lead to fewer number of case splits for the nextquantifier alternation.

4.2 Contextual simplification

Our projection procedure πx.(C|M) admits using a context M when processing C. The sim-plification depends on the strength of M and it helps to trim down unnecessary cases in avirtual substitution method later. This process is called contextual simplification which is easyto implement in an SMT solver. Algorithm 4 contains a procedure for contextual simplificationof formula ϕ. It works with a logical context, asserts that ϕ is unequal to p and recurses oversub-formulas of ϕ to replace them by true or false.

The approach also applies to non-Boolean domains (although this generalization is notrequired for QT ): the auxiliary algorithm then takes terms of arbitrary types and checks if

123


Algorithm 4: CS(ϕ)

if ϕ is unsat thenreturn false

endlet M be a model for ϕ;let p be a fresh propositionalvariable;assert p 6= ϕ;return CS(ϕ,M, p)

Algorithm 5: Auxiliary algorithm CS(ϕ,M, p)

if (p =M(ϕ)) is unsat in current context thenreturn M(ϕ)

endforeach immediate subformula ψi inϕ[ψ1, . . . , ψk] do

push;let pi be a fresh propositional variable;assert ϕ[ψ1, . . . , ψi−1, pi, ψi+1, . . . , ψk] = p;ψi ← CS(ψi,M, pi);pop;

endreturn ϕ[ψ1, . . . , ψk]

the terms are forced equal to the value provided in the model M. Instead of recursing onsub-formulas it can recurse on sub-terms of arbitrary types. When ϕ is represented as a DAGand has exponentially many sub-formulas, the result can in fact get much larger than theinput. A practical implementation of CS should therefore impose limits on how many times asub-formula is traversed.

Contextual simplification is used in STeP [3] for simplifying formulas produced from veri-fication condition generators and [5] develops a routine that works on formula trees in NNF,where it is used to speed up abstract interpreters that propagate formulas. Algorithm 4 is usedin Z3 with the observation that a modelM for ϕ can be used to prune checks for value forcingand it applies to subterms of arbitrary type. Z3 also contains cheaper contextual simplificationroutines that rely on accumulating equalities during a depth-first traversal. While this cheaperalgorithm can replace sub-terms by constants, it is not necessarily an advantage to use in con-text of SMT solving: a non-constant sub-term can be much more useful for learning generalpurpose lemmas during search.

5 Evaluation

We implemented different combinations for the instantiated algorithm in the preview versionof Z3 4.0. Projection procedures have been used including (A) - full quantifier eliminationand (B) - partial quantifier elimination. There are three variants of extrapolation: (0) - trivialextrapolation, (1) - NNF strengthening and (2) SMT-TEST. Furthermore, we also implemented(X) - contextual simplification and (Y) - no contextual simplification. These components in orderconstitute 12 different combinations which are named in short as aix where a ∈ A, B, i ∈0, 1, 2 and x ∈ X, Y . For example, A0Y denotes a combination of trivial extrapolation,full quantifier elimination and no contextual simplification.

We attempt to compare our algorithm (from now on called AQS algorithm) with Z3’s quan-tifier elimination algorithm. Non-random benchmarks are collected from DCMC. Not only isthe huge size (exponential to the chop-depth of DC formulas) of LIA formulas problematic, thenested nature between universal and existential quantifiers makes the problems even harder [8].

We divided benchmarks into two sets. Set 1 consists of 32 easy formulas having from56 to 94 quantifiers with file sizes ranging from 15KB to 33KB in SMT-LIB format. Z3’squantifier elimination can process these formulas within a few seconds. They are chosen for the

124


purpose of recognizing incompetent candidates in 12 combinations above. Set 2 have 64 hardinstances with 69-768 quantifiers and take 50-500KB in SMT-LIB format. They are beyondthe scope of Z3’s quantifier elimination algorithm. We use them to test scalability of differentcombinations. Benchmarks and experimental results are available on the Z3 website 1. Thebenchmark sets have some specific characteristics: coefficients are quite small and constraintsare sparse (consisting of a few variables). These features help limit the number of disjunctionsin virtual substitutions.

0

20

40

60

80

100

120

140

160

180

0 5 10 15 20 25 30 35

CPU Tim

e (secon

ds)

Number of problems solved

A0XA0YA1XA1YA2XA2YB0XB0YB1XB1YB2XB2YZ3

Figure 1: Accumulated running time of AQS vs. Z3 on benchmark set 1

Figure 1 summarizes the running time of different configurations of AQS as well as Z3’squantifier elimination algorithm. Each benchmark is given a 30-second timeout. The graphshows the accumulated running-time for solving all 32 problems. The winner is the configurationA0Y which means running AQS with projection implemented as full quantifier elimination andusing trivial extrapolation. This configuration solves all benchmarks within 20 seconds. Theconfiguration A2Y (using SMT-TEST instead of trivial extrapolation) is a close runner-up. Italso solves all benchmarks, but requires 35 seconds. This benchmark set is simply too small todraw clear conclusions between these approaches. Partial quantifier elimination (configurations

1http://research.microsoft.com/projects/z3/qt2012.zip

125

http://research.microsoft.com/projects/z3/qt2012.zip


with prefix B) is bad on all configurations. The experiments also suggest that strong contextsimplification is pure overhead in all configurations. In an earlier prototype outside of Z3,however, strong context simplification was an advantage. We attribute this to how constraintsget simplified and subsumed when being passed between AQS and Z3’s quantifier eliminationprocedure. Z3’s built-in quantifier elimination procedure has a slower ramp up time and is ableto solve all problems within 175 seconds.

0

500

1000

1500

2000

2500

3000

3500

4000

4500

0 10 20 30 40 50 60 70

CPU Tim

e (secon

ds)

Number of problems solved

A0X

A0Y

A1X

A1Y

A2X

A2Y

Figure 2: Accumulated running time of AQS on benchmark set 2

Experiment 2 was performed on Set 2 for all configurations of AQS with timeout of 300seconds. Experimental results are shown in Figure 2. We omit running time for configurationswith partial quantifier elimination, they solve almost no problems, and we also omit runningtime for the default quantifier elimination routine that also does not solve any problem. Theexperimental results indicate that AQS algorithm performs well on formulas with many blocksof nested quantifiers. We have gained an order of magnitude speedup for Duration Calculusapplication. The A2Y (using full projection and SMT-TEST ) configuration scales well on ourbenchmarks although A0Y (using full projection and trivial extrapolation) comes intriguinglyclose.

126


6 Conclusions

We presented an anatomy of the algorithm proposed in [10] for checking satisfiability of for-mulas with alternating quantification. We proposed a set of generalizations, applied them toPresburger Arithmetic, and evaluated the generalizations to benchmarks from a model checkerfor Duration Calculus. So far the experience has been that the satisfiability algorithms, wheninstantiated with SMT-TEST (and to some extent trivial extrapolation) perform orders ofmagnitude better than general purpose quantifier elimination. We are currently investigat-ing additional alternatives to the algorithms presented here. One alternative is to instantiatequantifiers incrementally using virtual substitutions. The idea is similar to how quantifiers areinstantiated using E-matching in SMT solvers. SMT solvers create a propositional abstractionof formulas, including quantifiers. If there is a satisfying assignment to the abstracted formulathat does not depend on the quantified sub-formulas, then the formula is satisfiable. Otherwise,quantified formulas are model-checked with respect to the current model and only instantiated(by axioms of the form “(∀xϕ[x])⇒ ϕ[t]”) when the interpretation for free variables cannot beextended to an interpretation that satisfies the quantified formulas.

Acknowledgments

This work grew out of a course on SMT solving organized by Flemming Nielson and Hanne R.Nielson. We are grateful for valuable comments and permission of using DCMC benchmarksfrom Michael R. Hansen. Anh-Dung Phan is supported by the IDEA4CPS project granted bythe Danish Research Foundation for Basic Research.

References

[1] Armin Biere. Resolve and Expand. In Holger H. Hoos and David G. Mitchell, editors, SAT(Selected Papers, volume 3542 of Lecture Notes in Computer Science, pages 59–70. Springer, 2004.

[2] Nikolaj Bjørner. Linear Quantifier Elimination as an Abstract Decision Procedure. In JurgenGiesl and Reiner Hahnle, editors, IJCAR, volume 6173 of Lecture Notes in Computer Science,pages 316–330. Springer, 2010.

[3] Nikolaj Bjørner, Anca Browne, Edward Y. Chang, Michael Colon, Arjun Kapur, Zohar Manna,Henny Sipma, and Tomas E. Uribe. STeP: Deductive-Algorithmic Verification of Reactive andReal-Time Systems. In Rajeev Alur and Thomas A. Henzinger, editors, CAV, volume 1102 ofLecture Notes in Computer Science, pages 415–418. Springer, 1996.

[4] D. Cooper. Theorem proving in arithmetic without multiplication. In Machine Intelligence, 1972.

[5] Isil Dillig, Thomas Dillig, and Alex Aiken. Small formulas for large programs: On-line constraintsimplification in scalable static analysis. In Radhia Cousot and Matthieu Martel, editors, SAS,volume 6337 of Lecture Notes in Computer Science, pages 236–252. Springer, 2010.

[6] Michael J. Fischer and Michael O. Rabin. Super-Exponential Complexity of Presburger Arithmetic.In Proceedings of the SIAM-AMS Symposium in Applied Mathematics, 1974.

[7] Martin Franzle and Michael R. Hansen. Efficient Model Checking for Duration Calculus? Int. J.Software and Informatics, 3(2-3):171–196, 2009.

[8] Michael R. Hansen and Aske Wiid Brekling. On Tool Support for Duration Calculus on the basisof Presburger Arithmetic. In Carlo Combi, Martin Leucker, and Frank Wolter, editors, TIME,pages 115–122. IEEE, 2011.

[9] David Monniaux. A Quantifier Elimination Algorithm for Linear Real Arithmetic. In IlianoCervesato, Helmut Veith, and Andrei Voronkov, editors, LPAR, volume 5330 of Lecture Notes inComputer Science, pages 243–257. Springer, 2008.

127


[10] David Monniaux. Quantifier Elimination by Lazy Model Enumeration. In Tayssir Touili, ByronCook, and Paul Jackson, editors, CAV, volume 6174 of Lecture Notes in Computer Science, pages585–599. Springer, 2010.

[11] Derek C. Oppen. A 222pn

Upper Bound on the Complexity of Presburger Arithmetic. J. Comput.Syst. Sci., 16(3):323–332, 1978.

[12] David A. Plaisted, Armin Biere, and Yunshan Zhu. A satisfiability procedure for quantifiedBoolean formulae. Discrete Applied Mathematics, 130(2):291–328, 2003.

[13] William Pugh. The Omega test: a fast and practical integer programming algorithm for depen-dence analysis. In Proceedings of the 1991 ACM/IEEE conference on Supercomputing, Supercom-puting ’91, pages 4–13, New York, NY, USA, 1991. ACM.

[14] Ryan Stansifer. Presburgers Article on Integer Airthmetic: Remarks and Translation. Technicalreport, Cornell University, Computer Science Department, September 1984.

128

SMT Workshop 2012 10th International Workshop on Satis ... · presentation-only papers, to provide...

Documents

Transcript of SMT Workshop 2012 10th International Workshop on Satis ... · presentation-only papers, to provide...