1 / 53

Satisfiability Modulo Theories and Network Verification

Satisfiability Modulo Theories and Network Verification. Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June 10-14 2013. Lectures. Wednesday 2:00pm-2:45pm : An Introduction to SMT with Z3 Thursday 11:00am-11:45am

fawzi
Download Presentation

Satisfiability Modulo Theories and Network Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Satisfiability Modulo Theoriesand Network Verification Nikolaj Bjørner Microsoft Research Formal Methods and Networks Summer School Ithaca, June 10-14 2013

  2. Lectures Wednesday2:00pm-2:45pm: An Introduction to SMT with Z3 Thursday11:00am-11:45am Algorithmic underpinningsofSAT/SMT Friday 9:00am-9:45am Theories, Solvers and Applications

  3. Plan • Progress in automated reasoning SAT, Automated Theorem Proving, SMT • An abstract account for SMT search (DPLL+T) • Integrating Theories Takeaway: Theorem Proving is cool and beautiful

  4. Symbolic Engines: SAT, FTP and SMT SAT: Propositional Satisfiability. (Tie  Shirt)  (Tie Shirt)  (Tie  Shirt) FTP: First-order Theorem Proving. X,Y,Z [X*(Y*Z) = (X*Y)*Z] X [X*inv(X) = e] X [X*e = e] SMT: Satisfiability Modulo background Theoriesb + 2 = c  A[3]≠ A[c-b+1]

  5. SAT - Milestones Problems impossible 10 years ago are trivial today Concept 2002 2010 Millions of variables from HW designs Courtesy Daniel le Berre

  6. FTP - Milestones • Some successstories: • Open Problems (of 25 years):XCB: X  ((X  Y)  (Z  Y))  Z)is a single axiom for equivalence • Knowledge Ontologies GBs of formulas Courtesy Andrei Voronkov, U of Manchester

  7. SMT - Milestones Z3 (of ’07) Time On BoogieRegression 1sec Simplify (of ’01) time Z3 Time On VCC Regression Includes progress from SAT: 15KLOC + 285KLOC = Z3 Nov 08 March 09

  8. News: SolvingR Efficiently A key idea: Use partial solution to guide the search Feasible Region x = 0.5 Extract small core DejanJojanovich & Leonardo de Moura, IJCAR 2012

  9. News: Horn Clause Satisfiability mc(x) = x-10 if x > 100 mc(x) = mc(mc(x+11)) if x  100 assert (x ≤ 101  mc(x) = 91)  mc()  mc()  mc() mc() mc() Solver finds solution for mc KrystofHoder & Nikolaj Bjorner, SAT 2012 Bjorner, McMillan, Rybalchenko, SMT 2012

  10. SMT solving

  11. SMT : Basic Architecture • Equality + UF • Arithmetic • Bit-vectors • … Case Analysis

  12. SAT + Theory solvers x  0, y = x + 1, (y > 2  y < 1) Abstract (aka “naming” atoms) p1, p2, (p3  p4) p1  (x  0), p2  (y = x + 1), p3  (y> 2), p4  (y < 1) Basic Idea

  13. SAT + Theory solvers x  0, y = x + 1, (y > 2  y < 1) Abstract (aka “naming” atoms) p1  (x  0), p2  (y = x + 1), p3  (y> 2), p4  (y < 1) p1, p2, (p3  p4) SAT Solver Basic Idea

  14. SAT + Theory solvers x  0, y = x + 1, (y > 2  y < 1) Abstract (aka “naming” atoms) p1  (x  0), p2  (y = x + 1), p3  (y> 2), p4  (y < 1) p1, p2, (p3  p4) Assignment p1, p2, p3, p4 SAT Solver Basic Idea

  15. SAT + Theory solvers x  0, y = x + 1, (y > 2  y < 1) Abstract (aka “naming” atoms) p1  (x  0), p2  (y = x + 1), p3  (y> 2), p4  (y < 1) p1, p2, (p3  p4) Assignment p1, p2, p3, p4 SAT Solver x  0, y = x + 1, (y> 2), y < 1 Basic Idea

  16. SAT + Theory solvers x  0, y = x + 1, (y > 2  y < 1) Abstract (aka “naming” atoms) p1  (x  0), p2  (y = x + 1), p3  (y> 2), p4  (y < 1) p1, p2, (p3  p4) Assignment p1, p2, p3, p4 SAT Solver x  0, y = x + 1, (y> 2), y < 1 Theory Solver Unsatisfiable x  0, y = x + 1, y < 1 Basic Idea

  17. SAT + Theory solvers x  0, y = x + 1, (y > 2  y < 1) Abstract (aka “naming” atoms) p1  (x  0), p2  (y = x + 1), p3  (y> 2), p4  (y < 1) p1, p2, (p3  p4) Assignment p1, p2, p3, p4 SAT Solver x  0, y = x + 1, (y> 2), y < 1 Theory Solver New Lemma p1p2p4 Unsatisfiable x  0, y = x + 1, y < 1 Basic Idea

  18. SAT + Theory solvers Theory Solver New Lemma p1p2p4 Unsatisfiable x  0, y = x + 1, y < 1 AKA Theory conflict

  19. SAT/SMT solving using DPLL(T)[Davis Putnam Logeman Loveland modulo theories]

  20. Resolution Formula must be in CNF Resolution rule: Example: The result of resolution is the resolvent(clause). Original clauses are kept (not deleted). Duplicate literals are deleted from the resolvent. Note: No branching. Termination: Only finite number of possible derived clauses.

  21. Resolution (example)

  22. Unit & Input Resolution Unit resolution: (is subsumed by Input resolution: ( member of input F). Exercise: Set of clauses F: F has an input refutation iffF has a unit refutation.

  23. DPLL DPLL: David Putnam Logeman Loveland = Unit resolution + split rule. split unit Ingredient of most efficient SAT solvers

  24. Pure Literals A literal is pure if only occurs positively or negatively.

  25. DPLL (as a procedure)

  26. DPLL M | F Partial model Set of clauses

  27. DPLL Guessing • p | p  q, q  r p, q | p  q, q  r

  28. DPLL Deducing • p | p  q, p  s p, s| p  q, p  s

  29. DPLL Backtracking • p, s, q | p  q, s  q, p q p, s | p  q, s  q, p q

  30. Modern DPLL • Non-chronological backtracking (backjumping) • Lemma learning and • Efficient indexing (two-watch literal) • …

  31. CDCL – Conflict Directed Clause Learning Lemma learning • t, p, q, s| t  p  q, q  s, p s • t, p, q, s | t  p  q, q s, p s |p s • t, p, q, s | t  p  q, q  s, p s |p q • t, p, q, s | t  p  q, q  s, p s |p t

  32. Core Engine in Z3: Modern DPLL/CDCL “It took me a year to understand the Mini-SAT FUIP code” Mate Soos to NiklasSörenson over ice-cream in Trento Model Proof We will nowmotivate the CDCL algorithm as a cooperative procedure between model and proof search Conflict Resolution [Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized

  33. Mile High: Modern SAT/SMT search Backjump Models literal assignments Proofs Conflict Clauses Conflict Resolution Propagate

  34. The Farkas Lemma Dichotomy There is an such that: There is a such that: For every matrix , vector it is the case that either (1) or (2) holds (and not both).

  35. A Dichotomy of Models and Proofs There is a model M such that There is a proof such that For every formula F (set of clauses) it is the case that either (1) or (2) holds (and not both).

  36. A Dichotomy of Models and Proofs There is such that There is and proof such that For every formula F (set of clauses) and partial model it is the case that either (1) or (2) holds (and not both).

  37. A Dichotomy of Models and Proofs There is such that There isand proof such that Given can it be extended to ’ to satisfy (1)? If not, find subset to establish (2). (that is inconsistent with F)

  38. A Dichotomy of Models and Proofs Corollary: If then it is not possible to extend to satisfy Corollary: If then - for some (or contains ) - for every , where - , - it is not possible to extend to satisfy

  39. CDCL Search – Data structures Partial Model: Sequenceof literals Decision lits: case splits Propagation lits: only one case makes sense. Formula: set of clauses Proof: Implicit Consequences added to F Invariant: For state : Invariant: For states and where :

  40. CDCL steps No model candidate has been fixed

  41. CDCL steps Case split on If can be extended to satisfy , then the extension contains or

  42. CDCL steps must be true if has any chance of being a model for

  43. CDCL steps

  44. CDCL steps is a sufficient explanation why is not a model of

  45. CDCL steps Recall Corollary: If then - for some (or contains ) - for every , where - , - it is not possible to extend to satisfy is a sufficientand earlier explanation why is not a model of

  46. CDCL steps • is a sufficientexplanation why is not a model of • Prefixes of that contain cannot become a model of • FUIPFirst Unique Implication Pointstrategy when # of decision literals in is minimal. • Why is FUIP better? • Minimizes # of backtracking points before learned fact • What if implies negation of removed backtracking point? • We would forget the learned fact during backjumping. • … only to then re-learn it.

  47. CDCL steps Re-use proof step for later: build DAG proof instead of TREE proof

  48. CDCL steps • Don’t forget to forget: • Learned clauses could turn out to be useless. • They could hog resources • Blocked Clause Elimination: • - Remove clauses that will not be used in proofs

  49. CDCL steps Avoid getting trapped in one part of search space [Reluctant doubling sequence: Luby, Sinclair, Zuckerman, IPL 47] Generating function [fasc6a draft chapter on SAT]

  50. Modern DPLL - tuning • Restart frequency • Why is restarting good? • Efficient replay trick for frequent restart • Which variable to split on • Which branch to explore first • Which lemmas to learn • Blocked clause elimination • Cache binary propagations • This is just scratching the surface

More Related