leonardo de moura microsoft research · 2021. 8. 10. · very useful in practice! most arithmetical...
TRANSCRIPT
![Page 1: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/1.jpg)
Leonardo de MouraMicrosoft Research
![Page 2: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/2.jpg)
Many approachesGraph-based for difference logic: a – b 3
Fourier-Motzkin elimination:
Standard Simplex
General Form Simplex
![Page 3: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/3.jpg)
Very useful in practice!
Most arithmetical constraints in software verification/analysis are in this fragment.
x := x + 1
x1 = x0 + 1
x1 - x0 1, x0 - x1 -1
![Page 4: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/4.jpg)
![Page 5: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/5.jpg)
Chasing negative cycles!
Algorithms based on Bellman-Ford (O(mn)).
![Page 6: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/6.jpg)
Many solvers (e.g., ICS, Simplify) are based on the Standard Simplex.
a - d + 2e = 3
b - d = 1
c + d - e = -1
a, b, c, d, e ≥ 0
![Page 7: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/7.jpg)
Many solvers (e.g., ICS, Simplify) are based on the Standard Simplex.
a - d + 2e = 3
b - d = 1
c + d - e = -1
a, b, c, d, e ≥ 0
1 0 0 -1 2
0 1 0 -1 0
0 0 1 1 -1
a
b
c
d
e
3
1
-1
=
![Page 8: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/8.jpg)
Many solvers (e.g., ICS, Simplify) are based on the Standard Simplex.
a - d + 2e = 3
b - d = 1
c + d - e = -1
a, b, c, d, e ≥ 0
1 0 0 -1 2
0 1 0 -1 0
0 0 1 1 -1
a
b
c
d
e
3
1
-1
=
We say a,b,c are the basic (or dependent) variables
![Page 9: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/9.jpg)
Many solvers (e.g., ICS, Simplify) are based on the Standard Simplex.
a - d + 2e = 3
b - d = 1
c + d - e = -1
a, b, c, d, e ≥ 0
1 0 0 -1 2
0 1 0 -1 0
0 0 1 1 -1
a
b
c
d
e
3
1
-1
=
We say a,b,c are the basic (or dependent) variables
We say d,e are the non-basic (or non-dependent) variables.
![Page 10: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/10.jpg)
Incrementality: add/remove equations
Slow backtracking
No theory propagation
![Page 11: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/11.jpg)
Simplex General Form
Algorithm based on the dual simplex
Non redundant proofs
Efficient backtracking
Efficient theory propagation
Support for string inequalities: t > 0
Preprocessing step
Integer problems: Gomory cuts, Branch & Bound, GCD test
![Page 12: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/12.jpg)
![Page 13: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/13.jpg)
s1 x + y, s2 x + 2y
![Page 14: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/14.jpg)
s1 x + y, s2 x + 2y
s1 = x + y,
s2 = x + 2y
![Page 15: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/15.jpg)
s1 x + y, s2 x + 2y
s1 = x + y,
s2 = x + 2y
s1 - x - y = 0
s2 - x - 2y = 0
![Page 16: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/16.jpg)
s1 x + y, s2 x + 2y
s1 = x + y,
s2 = x + 2y
s1 - x - y = 0
s2 - x - 2y = 0
s1, s2 are basic (dependent)
x,y are non-basic
![Page 17: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/17.jpg)
A way to swap a basic with a non-basic variable!
It is just equational reasoning.
Key invariant: a basic variable occurs in only one equation.
Example: swap s1 and y
s1 - x - y = 0
s2 - x - 2y = 0
![Page 18: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/18.jpg)
A way to swap a basic with a non-basic variable!
It is just equational reasoning.
Key invariant: a basic variable occurs in only one equation.
Example: swap s1 and y
s1 - x - y = 0
s2 - x - 2y = 0
-s1 + x + y = 0
s2 - x - 2y = 0
![Page 19: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/19.jpg)
A way to swap a basic with a non-basic variable!
It is just equational reasoning.
Key invariant: a basic variable occurs in only one equation.
Example: swap s1 and y
s1 - x - y = 0
s2 - x - 2y = 0
-s1 + x + y = 0
s2 - x - 2y = 0
-s1 + x + y = 0
s2 - 2s1 + x = 0
![Page 20: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/20.jpg)
A way to swap a basic with a non-basic variable!
It is just equational reasoning.
Key invariant: a basic variable occurs in only one equation.
Example: swap s1 and y
s1 - x - y = 0
s2 - x - 2y = 0
-s1 + x + y = 0
s2 - x - 2y = 0
-s1 + x + y = 0
s2 - 2s1 + x = 0
It is just substituting equals by equals.
![Page 21: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/21.jpg)
A way to swap a basic with a non-basic variable!
It is just equational reasoning.
Key invariant: a basic variable occurs in only one equation.
Example: swap s1 and y
s1 - x - y = 0
s2 - x - 2y = 0
-s1 + x + y = 0
s2 - x - 2y = 0
-s1 + x + y = 0
s2 - 2s1 + x = 0
It is just substituting equals by equals.
Definition:
An assignment (model) is a mapping from variables to values
Key Property:If an assignment satisfies the equations before a pivoting step, then it will also satisfy them after!
![Page 22: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/22.jpg)
A way to swap a basic with a non-basic variable!
It is just equational reasoning.
Key invariant: a basic variable occurs in only one equation.
Example: swap s2 and y
s1 - x - y = 0
s2 - x - 2y = 0
-s1 + x + y = 0
s2 - x - 2y = 0
-s1 + x + y = 0
s2 - 2s1 + x = 0
It is just substituting equals by equals.
Definition:
An assignment (model) is a mapping from variables to values
Key Property:If an assignment satisfies the equations before a pivoting step, then it will also satisfy them after!
Example:M(x) = 1M(y) = 1M(s1) = 2M(s2) = 3
![Page 23: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/23.jpg)
![Page 24: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/24.jpg)
If the assignment of a non-basic variable does not satisfy a bound, then fix it and propagate the change to all dependent variables.
a = c – d
b = c + d
M(a) = 0
M(b) = 0
M(c) = 0
M(d) = 0
1 c
a = c – d
b = c + d
M(a) = 1
M(b) = 1
M(c) = 1
M(d) = 0
1 c
![Page 25: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/25.jpg)
If the assignment of a non-basic variable does not satisfy a bound, then fix it and propagate the change to all dependent variables. Of course, we may introduce new “problems”.
a = c – d
b = c + d
M(a) = 0
M(b) = 0
M(c) = 0
M(d) = 0
1 c
a 0
a = c – d
b = c + d
M(a) = 1
M(b) = 1
M(c) = 1
M(d) = 0
1 c
a 0
![Page 26: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/26.jpg)
If the assignment of a basic variable does not satisfy a bound, then pivot it, fix it, and propagate the change to its new dependent variables.
a = c – d
b = c + d
M(a) = 0
M(b) = 0
M(c) = 0
M(d) = 0
1 a
c = a + d
b = a + 2d
M(a) = 0
M(b) = 0
M(c) = 0
M(d) = 0
1 a
c = a + d
b = a + 2d
M(a) = 1
M(b) = 1
M(c) = 1
M(d) = 0
1 a
![Page 27: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/27.jpg)
Sometimes, a model cannot be repaired. It is pointless to pivot.
a = b – c
a 0, 1 b, c 0
M(a) = 1
M(b) = 1
M(c) = 0
The value of M(a) is too big. We can reduce it by:- reducing M(b)
not possible b is at lower bound- increasing M(c)
not possible c is at upper bound
![Page 28: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/28.jpg)
s1 a + d, s2 c + d
a = s1 – s2 + c
a 0, 1 s1, s2 0, 0 c
M(a) = 1
M(s1) = 1
M(s2) = 0
M(c) = 0
Extracting proof from failed repair attempts is easy.
![Page 29: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/29.jpg)
s1 a + d, s2 c + d
a = s1 – s2 + c
a 0, 1 s1, s2 0, 0 c
M(a) = 1
M(s1) = 1
M(s2) = 0
M(c) = 0
Extracting proof from failed repair attempts is easy.
{ a 0, 1 s1, s2 0, 0 c } is inconsistent
![Page 30: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/30.jpg)
s1 a + d, s2 c + d
a = s1 – s2 + c
a 0, 1 s1, s2 0, 0 c
M(a) = 1
M(s1) = 1
M(s2) = 0
M(c) = 0
Extracting proof from failed repair attempts is easy.
{ a 0, 1 s1, s2 0, 0 c } is inconsistent
{ a 0, 1 a + d, c + d 0, 0 c } is inconsistent
![Page 31: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/31.jpg)
![Page 32: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/32.jpg)
SMT@Microsoft
![Page 33: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/33.jpg)
SMT@Microsoft
![Page 34: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/34.jpg)
SMT@Microsoft
![Page 35: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/35.jpg)
![Page 36: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/36.jpg)
![Page 37: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/37.jpg)
![Page 38: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/38.jpg)
![Page 39: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/39.jpg)
![Page 40: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/40.jpg)
![Page 41: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/41.jpg)
![Page 42: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/42.jpg)
![Page 43: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/43.jpg)
![Page 44: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/44.jpg)
![Page 45: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/45.jpg)
![Page 46: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/46.jpg)
![Page 47: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/47.jpg)
![Page 48: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/48.jpg)
![Page 49: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/49.jpg)
![Page 50: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/50.jpg)
![Page 51: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/51.jpg)
![Page 52: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/52.jpg)
![Page 53: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/53.jpg)
![Page 54: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/54.jpg)
![Page 55: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/55.jpg)
![Page 56: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/56.jpg)
![Page 57: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/57.jpg)
![Page 58: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/58.jpg)
![Page 59: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/59.jpg)
![Page 60: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/60.jpg)
![Page 61: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/61.jpg)
![Page 62: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/62.jpg)
![Page 63: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/63.jpg)
![Page 64: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/64.jpg)
![Page 65: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/65.jpg)
![Page 66: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/66.jpg)
![Page 67: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/67.jpg)
![Page 68: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/68.jpg)
![Page 69: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/69.jpg)
![Page 70: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/70.jpg)
![Page 71: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/71.jpg)
![Page 72: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/72.jpg)
![Page 73: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/73.jpg)
![Page 74: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/74.jpg)
![Page 75: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/75.jpg)
![Page 76: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/76.jpg)
![Page 77: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/77.jpg)
![Page 78: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/78.jpg)
![Page 79: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/79.jpg)
![Page 80: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/80.jpg)
![Page 81: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/81.jpg)
![Page 82: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/82.jpg)
![Page 83: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/83.jpg)
![Page 84: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/84.jpg)
![Page 85: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/85.jpg)
Completeness: trivial
Soundness: also trivial
Termination: non trivial.
We cannot choose arbitrary variable to pivot.
Assume the variables are ordered.
Bland’s rule: select the smallest basic variable c that does not satisfy its bounds, then select the smallest non-basic in the row of c that can be used for pivoting.
Too technical.
Uses the fact that a tableau has a finite number of configurations. Then, any infinite trace will have cycles.
![Page 86: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/86.jpg)
Array of rows (equations).
Each row is a dynamic array of tuples:
(coefficient, variable, pos_in_occs, is_dead)
Each variable x has a “set” (dynamic array) of occurrences:
(row_idx, pos_in_row, is_dead)
Each variable x has a “field” row*x+
row[x] is -1 if x is non basic
otherwise, row[x] contains the idx of the row containing x
Each variable x has “fields”: lower*x+, upper*x+, and value*x+
![Page 87: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/87.jpg)
rows: array of rows (equations).
Each row is a dynamic array of tuples:
(coefficient, variable, pos_in_occs, is_dead)
occs[x]: Each variable x has a “set” (dynamic array) of occurrences:
(row_idx, pos_in_row, is_dead)
row[x]:
row[x] is -1 if x is non basic
otherwise, row[x] contains the idx of the row containing x
Other “fields”: lower[x], upper[x], and value[x]
atoms[x]: atoms (assigned/unassigned) that contains x
![Page 88: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/88.jpg)
s1 a + b, s2 c – b
p1 a 0, p2 1 s1, p3 1 s2
p1, p2 were already assigned
a - s1 + s2 + c = 0
b- c + s2 = 0
a 0, 1 s1
M(a) = 0 value[a] = 0
M(b) = -1 value[a] = -1
M(c) = 0 value[c] = 0
M(s1) = 1 value[s1] = 1
M(s2) = 1 value[s2] = 1
rows = [
[(1, a, 0, t), (-1, s1, 0, t), (1, s2, 1, t), (1, c, 0, t)],
[(1,b, 0, t), (-1, c, 1, t), (1, s2, 2, t)] ]
occs[a] = [(0, 0, f)]
occs[b] = [(1,0,f)]
occs[c] = [(0,3,f), (1,1,f)]
occs[s1] = [(0,1,f)]
occs[s2] = [(0,0,t), (0,2,f), (1,2,f)]
row[a] = 0, row[b] = 1, row[c] = -1, …
upper[a] = 0, lower[s1] = 1
atoms[a] = {p1}, atoms[s1] = {p2}, …
![Page 89: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/89.jpg)
In practice, we need a combination of theories.
b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
A theory is a set (potentially infinite) of first-order sentences.
Main questions:
Is the union of two theories T1 T2 consistent?
Given a solvers for T1 and T2, how can we build a solver for
T1 T2?
![Page 90: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/90.jpg)
Two theories are disjoint if they do not share function/constant and predicate symbols.
= is the only exception.
Example:
The theories of arithmetic and arrays are disjoint.
Arithmetic symbols: {0, -1, 1, -2, 2, …, +, -, *, >, <, ≥, }
Array symbols: { read, write }
![Page 91: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/91.jpg)
It is a different name for our “naming” subterms procedure.
b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
b + 2 = c, v6 ≠ v7
v1 3, v2 write(a, b, v1), v3 c-2, v4 read(v2, v3),
v5 c-b+1, v6 f(v4), v7 f(v5)
![Page 92: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/92.jpg)
It is a different name for our “naming” subterms procedure.
b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
b + 2 = c, v6 ≠ v7
v1 3, v2 write(a, b, v1), v3 c-2, v4 read(v2, v3),
v5 c-b+1, v6 f(v4), v7 f(v5)
b + 2 = c, v1 3, v3 c-2, v5 c-b+1,
v2 write(a, b, v1), v4 read(v2, v3),
v6 f(v4), v7 f(v5), v6 ≠ v7
![Page 93: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/93.jpg)
A theory is stably infinite if every satisfiable QFF is satisfiablein an infinite model.
EUF and arithmetic are stably infinite.
Bit-vectors are not.
![Page 94: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/94.jpg)
The union of two consistent, disjoint, stably infinite theories is consistent.
![Page 95: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/95.jpg)
A theory T is convex iff
for all finite sets S of literals and
for all a1 = b1 … an = bn
S implies a1 = b1 … an = bn
iff
S implies ai = bi for some 1 i n
![Page 96: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/96.jpg)
Every convex theory with non trivial models is stably infinite.
All Horn equational theories are convex.
formulas of the form s1 ≠ r1 … sn ≠ rn t = t’
Linear rational arithmetic is convex.
![Page 97: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/97.jpg)
Linear integer arithmetic is not convex
1 a 2, b = 1, c = 2 implies a = b a = c
Nonlinear arithmetic
a2 = 1, b = 1, c = -1 implies a = b a = c
Theory of bit-vectors
Theory of arrays
c1 = read(write(a, i, c2), j), c3 = read(a, j)
implies c1 = c2 c1 = c3
![Page 98: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/98.jpg)
EUF is convex (O(n log n))
IDL is non-convex (O(nm))
EUF IDL is NP-Complete
Reduce 3CNF to EUF IDL
For each boolean variable pi add 0 ai 1
For each clause p1 p2 p3 add
f(a1, a2, a3) ≠ f(0, 1, 0)
![Page 99: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/99.jpg)
EUF is convex (O(n log n))
IDL is non-convex (O(nm))
EUF IDL is NP-Complete
Reduce 3CNF to EUF IDL
For each boolean variable pi add 0 ai 1
For each clause p1 p2 p3 add
f(a1, a2, a3) ≠ f(0, 1, 0)
a1 ≠ 0 a2 ≠ 1 a3 ≠ 0
implies
![Page 100: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/100.jpg)
![Page 101: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/101.jpg)
![Page 102: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/102.jpg)
![Page 103: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/103.jpg)
![Page 104: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/104.jpg)
![Page 105: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/105.jpg)
![Page 106: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/106.jpg)
b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
Arithmetic
b + 2 = c,
v1 3,
v3 c-2,
v5 c-b+1
Arrays
v2 write(a, b, v1), v4 read(v2, v3)
EUF
v6 f(v4),
v7 f(v5),
v6 ≠ v7
![Page 107: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/107.jpg)
b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
Arithmetic
b + 2 = c,
v1 3,
v3 c-2,
v5 c-b+1
Arrays
v2 write(a, b, v1), v4 read(v2, v3)
EUF
v6 f(v4),
v7 f(v5),
v6 ≠ v7
Substituting c
![Page 108: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/108.jpg)
b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
Arithmetic
b + 2 = c,
v1 3,
v3 b,
v5 3
Arrays
v2 write(a, b, v1), v4 read(v2, v3),
EUF
v6 f(v4),
v7 f(v5),
v6 ≠ v7
Propagating v3 = b
![Page 109: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/109.jpg)
b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
Arithmetic
b + 2 = c,
v1 3,
v3 b,
v5 3
Arrays
v2 write(a, b, v1), v4 read(v2, v3),
v3 = b
EUF
v6 f(v4),
v7 f(v5),
v6 ≠ v7,
v3 = b
Deducing v4 = v1
![Page 110: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/110.jpg)
b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
Arithmetic
b + 2 = c,
v1 3,
v3 b,
v5 3
Arrays
v2 write(a, b, v1), v4 read(v2, v3),
v3 = b,
v4 = v1
EUF
v6 f(v4),
v7 f(v5),
v6 ≠ v7,
v3 = b
Propagating v4 = v1
![Page 111: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/111.jpg)
b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
Arithmetic
b + 2 = c,
v1 3,
v3 b,
v5 3,
v4 = v1
Arrays
v2 write(a, b, v1), v4 read(v2, v3),
v3 = b,
v4 = v1
EUF
v6 f(v4),
v7 f(v5),
v6 ≠ v7,
v3 = b,
v4 = v1
Propagating v5 = v1
![Page 112: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/112.jpg)
b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
Arithmetic
b + 2 = c,
v1 3,
v3 b,
v5 3,
v4 = v1
Arrays
v2 write(a, b, v1), v4 read(v2, v3),
v3 = b,
v4 = v1
EUF
v6 f(v4),
v7 f(v5),
v6 ≠ v7,
v3 = b,
v4 = v1,
v5 = v1Congruence: v6 = v7
![Page 113: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/113.jpg)
b + 2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)
Arithmetic
b + 2 = c,
v1 3,
v3 b,
v5 3,
v4 = v1
Arrays
v2 write(a, b, v1), v4 read(v2, v3),
v3 = b,
v4 = v1
EUF
v6 f(v4),
v7 f(v5),
v6 ≠ v7,
v3 = b,
v4 = v1,
v5 = v1 ,
v6 = v7
Unsatisfiable
![Page 114: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/114.jpg)
Deterministic procedure may fail for non-convex theories.
0 a 1, 0 b 1, 0 c 1,
f(a) ≠ f(b),
f(a) ≠ f(c),
f(b) ≠ f(c)
![Page 115: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/115.jpg)
![Page 116: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/116.jpg)
![Page 117: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/117.jpg)
![Page 118: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/118.jpg)
![Page 119: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/119.jpg)
![Page 120: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/120.jpg)
![Page 121: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/121.jpg)
![Page 122: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/122.jpg)
![Page 123: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/123.jpg)
![Page 124: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/124.jpg)
![Page 125: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/125.jpg)
![Page 126: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/126.jpg)
![Page 127: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/127.jpg)
Model mutation without pivoting
For each non basic variable xj compute [Lj, Uj]
Each row containing xj enforces a limit on how much it can be increase and/or decreased without violating the bounds of the basic variable in the row.
![Page 128: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/128.jpg)
We say a variable is fixed if the lower and upper bound are the same.
1 x 1
A polynomial P is fixed if all its variables are fixed.
Given a fixed polynomial P of the forma 2x1 + x2,
we use M(P) to denote 2M(x1) + M(x2)
![Page 129: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/129.jpg)
M
M M
M M
![Page 130: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/130.jpg)
![Page 131: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/131.jpg)
A reduction function reduces the satifiability problem for a complex theory into the satisfiability problem of a simpler theory.
Ackermannization is a reduction function.
![Page 132: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/132.jpg)
EUF
![Page 133: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/133.jpg)
Annotated Program
Verification Condition F
pre/post conditions
invariants
and other annotations
![Page 134: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/134.jpg)
BIG
and-or
tree
(ground)
Axioms
(non-ground)
Control & Data
Flow
![Page 135: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/135.jpg)
Quantifiers, quantifiers, quantifiers, …
Modeling the runtime
h,o,f:IsHeap(h) o ≠ null read(h, o, alloc) = tread(h,o, f) = null read(h, read(h,o,f),alloc) = t
![Page 136: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/136.jpg)
Quantifiers, quantifiers, quantifiers, …
Modeling the runtime
Frame axioms
o, f:o ≠ null read(h0, o, alloc) = t
read(h1,o,f) = read(h0,o,f) (o,f) M
![Page 137: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/137.jpg)
Quantifiers, quantifiers, quantifiers, …
Modeling the runtime
Frame axioms
User provided assertions
i,j: i j read(a,i) read(b,j)
![Page 138: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/138.jpg)
Quantifiers, quantifiers, quantifiers, …
Modeling the runtime
Frame axioms
User provided assertions
Theories x: p(x,x)
x,y,z: p(x,y), p(y,z) p(x,z)
x,y: p(x,y), p(y,x) x = y
![Page 139: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/139.jpg)
Quantifiers, quantifiers, quantifiers, …
Modeling the runtime
Frame axioms
User provided assertions
TheoriesSolver must be fast in satisfiable instances.
We want to find bugs!
![Page 140: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/140.jpg)
Grand challenge: Microsoft Hypervisor
70k lines of dense C code
VCs have several Mb
Thousands of non ground clauses
Developers are willing to wait at most 5 min per VC
![Page 141: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/141.jpg)
Heuristic quantifier instantiation
Combining SMT with Saturation provers
Complete quantifier instantiation
Decidable fragments
Model based quantifier instantiation
![Page 142: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/142.jpg)
SMT solvers use heuristic quantifier instantiation.
E-matching (matching modulo equalities).
Example:
x: f(g(x)) = x { f(g(x)) }
a = g(b),
b = c,
f(a) c Trigger
![Page 143: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/143.jpg)
SMT solvers use heuristic quantifier instantiation.
E-matching (matching modulo equalities).
Example:
x: f(g(x)) = x { f(g(x)) }
a = g(b),
b = c,
f(a) c
x=b f(g(b)) = b
Equalities and ground terms come
from the partial model M
![Page 144: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/144.jpg)
Integrates smoothly with DPLL.
Software verification problems are big & shallow.
Decides useful theories:
Arrays
Partial orders
…
![Page 145: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/145.jpg)
E-matching is NP-Hard.
In practice
Problem Indexing Technique
Fast retrieval E-matching code trees
Incremental E-Matching Inverted path index
![Page 146: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/146.jpg)
Trigger:
f(x1, g(x1, a), h(x2), b)
Instructions:
1. init(f, 2)2. check(r4, b, 3)3. bind(r2, g, r5, 4)4. compare(r1, r5, 5)5. check(r6, a, 6)6. bind(r3, h, r7, 7)7. yield(r1, r7)
Compiler
Similar triggers share several instructions.
Combine code sequences in a code tree
![Page 147: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/147.jpg)
Limitations
E-matching needs ground seeds.
x: p(x),
x: not p(x)
![Page 148: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/148.jpg)
Limitations
E-matching needs ground seeds.
Bad user provided triggers:
x: f(g(x))=x { f(g(x)) }
g(a) = c,
g(b) = c,
a b Trigger is too
restrictive
![Page 149: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/149.jpg)
Limitations
E-matching needs ground seeds.
Bad user provided triggers:
x: f(g(x))=x { g(x) }
g(a) = c,
g(b) = c,
a b More “liberal”
trigger
![Page 150: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/150.jpg)
Limitations
E-matching needs ground seeds.
Bad user provided triggers:
x: f(g(x))=x { g(x) }
g(a) = c,
g(b) = c,
a b,
f(g(a)) = a,
f(g(b)) = ba=b
![Page 151: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/151.jpg)
Limitations
E-matching needs ground seeds.
Bad user provided triggers.
It is not refutationally complete.
False positives
![Page 152: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/152.jpg)
Tight integration: DPLL + Saturation solver.
BIG
and-or
tree
(ground)
Axioms
(non-ground)
![Page 153: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/153.jpg)
Inference rule:
DPLL() is parametric.
Examples:
Resolution
Superposition calculus
…
![Page 154: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/154.jpg)
M | F
Partial modelSet of clauses
![Page 155: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/155.jpg)
p(a) | p(a)q(a), x: p(x)r(x), x: p(x)s(x)
![Page 156: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/156.jpg)
p(a) | p(a)q(a), p(x)r(x), p(x)s(x)
![Page 157: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/157.jpg)
p(a) | p(a)q(a), p(x)r(x), p(x)s(x)
p(a) | p(a)q(a), p(x)r(x), p(x)s(x), r(x)s(x)
Resolution
![Page 158: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/158.jpg)
Using ground atoms from M:M | F
Main issue: backtracking.
Hypothetical clauses:
H C
(regular) Clause(hypothesis)
Ground literals
Track literals
from M used to
derive C
![Page 159: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/159.jpg)
p(a) | p(a)q(a), p(x)r(x)
p(a) | p(a)q(a), p(x)r(x), p(a)r(a)
p(a), p(x)r(x)
r(a)
![Page 160: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/160.jpg)
p(a), r(a) | p(a)q(a), p(a)r(a), p(a)r(a), …
![Page 161: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/161.jpg)
p(a), r(a) | p(a)q(a), p(a)r(a), p(a)r(a), …
p(a) is removed from M
p(a) | p(a)q(a), p(a)r(a), …
![Page 162: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/162.jpg)
Saturation solver ignores non-unit ground clauses.
p(a) | p(a)q(a), p(x)r(x)
![Page 163: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/163.jpg)
Saturation solver ignores non-unit ground clauses.
It is still refutanionally complete if: has the reduction property.
BIG
and-or tree
(ground)
Axioms
(non-ground)
![Page 164: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/164.jpg)
DPLL
+
Theories
Saturation
Solver
Saturation solver ignores non-unit ground clauses.
It is still refutanionally complete if: has the reduction property.
Ground literals
Ground clauses
![Page 165: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/165.jpg)
Problem
Interpreted symtbols
(f(a) > 2), f(x) > 5
It is refutationally complete if
Interpreted symbols only occur in ground clauses
Non ground clauses are variable inactive
“Good” ordering is used
![Page 166: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/166.jpg)
x1, x2: p(x1, x2) f(x1) = f(x2) + 1,
p(a,b), a < b + 1
![Page 167: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/167.jpg)
p(x1, x2) f(x1) = f(x2) + 1,
p(a,b), a < b + 1
![Page 168: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/168.jpg)
Variables appear only as arguments of uninterpreted symbols.
f(g(x1) + a) < g(x1) h(f(x1), x2) = 0
f(x1+x2) f(x1) + f(x2)
![Page 169: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/169.jpg)
Given a set of formulas F, build an equisatisfiable set of quantifier-free formulas F*
Suppose1. We have a clause C[f(x)] containing f(x).2. We have f(t).
Instantiate x with t: C[f(t)].
“Domain” of f is the set of ground terms Af
t Af if there is a ground term f(t)
![Page 170: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/170.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F F*
![Page 171: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/171.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F F*h(c) = 1,f(a) = 0
Copy quantifier-free formulas
“Domains”:Af: { a }Ag: { }Ah: { c }
![Page 172: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/172.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F F*h(c) = 1,f(a) = 0,
“Domains”:Af : { a }Ag : { }Ah : { c }
![Page 173: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/173.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F F*h(c) = 1,f(a) = 0,g(f(a),b) + 1 f(a)
“Domains”:Af : { a }Ag : { [f(a), b] }Ah : { c }
![Page 174: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/174.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F F*h(c) = 1,f(a) = 0,g(f(a),b) + 1 f(a),
“Domains”:Af : { a }Ag : { [f(a), b] }Ah : { c }
![Page 175: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/175.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F F*h(c) = 1,f(a) = 0,g(f(a),b) + 1 f(a),g(f(a), b) = 0 h(b) = 0
“Domains”:Af : { a }Ag : { [f(a), b] }Ah : { c, b }
![Page 176: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/176.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F F*h(c) = 1,f(a) = 0,g(f(a),b) + 1 f(a),g(f(a), b) = 0 h(b) = 0
“Domains”:Af : { a }Ag : { [f(a), b]}Ah : { c, b }
![Page 177: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/177.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F F*h(c) = 1,f(a) = 0,g(f(a),b) + 1 f(a),g(f(a), b) = 0 h(b) = 0,g(f(a), c) = 0 h(c) = 0
“Domains”:Af : { a }Ag : { [f(a), b], [f(a), c] }Ah : { c, b }
![Page 178: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/178.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F F*h(c) = 1,f(a) = 0,g(f(a),b) + 1 f(a),g(f(a), b) = 0 h(b) = 0,g(f(a), c) = 0 h(c) = 0
a 2, b 2, c 3f { 2 0, …}h { 2 0, 3 1, …}g { [0,2] -1, [0,3] 0, …}
M
![Page 179: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/179.jpg)
Given a model M for F*,Build a model M for F
Define a projection function f s.t.range of f is M(Af), andf (v) = v if v M(Af)
Then,M(f)(v) = M(f)(f(v))
![Page 180: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/180.jpg)
M(Af) M(f(Af))
M(Af)
M(f(Af))
M(f)M(Af)
f
M(f)
M(f)
![Page 181: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/181.jpg)
Given a model M for F*,Build a model M for F
In our example, we have: h(b) and h(c) Ah = { b, c }, and M(Ah) = { 2, 3 }
h = { 2 2, 3 3, else 3 }
M(h) { 2 0, 3 1, …}
M(h){ 2 0, 3 1, else 1}
M(h) = x. if(x=2, 0, 1)
![Page 182: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/182.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F F*h(c) = 1,f(a) = 0,g(f(a),b) + 1 f(a),g(f(a), b) = 0 h(b) = 0,g(f(a), c) = 0 h(c) = 0
M
a 2, b 2, c 3f x. 2h x. if(x=2, 0, 1)g x,y. if(x=0y=2,-1, 0)
M a 2, b 2, c 3f { 2 0, …}h { 2 0, 3 1, …}g { [0,2] -1, [0,3] 0, …}
![Page 183: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/183.jpg)
M
a 2, b 2, c 3f x. 2h x. if(x=2, 0, 1)g x,y. if(x=0y=2,-1, 0)
x1, x2: if(x1=0x2=2,-1,0) = 0 if(x2=2,0,1) = 0 is valid
Does M satisfies?x1, x2 : g(x1, x2) = 0 h(x2) = 0
x1, x2: if(x1=0x2=2,-1,0) 0 if(x2=2,0,1) 0 is unsat
if(s1=0s2=2,-1,0) 0 if(s2=2,0,1) 0 is unsat
![Page 184: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/184.jpg)
Suppose M does not satisfy C[f(x)].
Then for some value v,M{x v} falsifies C[f(x)].
M{x f(v)} also falsifies C[f(x)].
But, there is a term t Af s.t. M(t) = f(v)Moreover, we instantiated C[f(x)] with t.
So, M must not satisfy C[f(t)].Contradiction: M is a model for F*.
![Page 185: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/185.jpg)
F* may be very big (or infinite).
Lazy-constructionBuild F* incrementally, F* is the limit of the sequence
F0 F1 … Fk …
If Fk is unsat then F is unsat.
If Fk is sat, then build (candidate) M
If M satisfies all quantifiers in F then return sat.
![Page 186: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/186.jpg)
Suppose Mdoes not satisfy a clause C[f(x)] in F.
Add an instance C[f(t)] which “blocks” this spurious model.Issue: how to find t?
Use model checking,and the “inverse” mapping f
-1 from values to terms (in Af).f
-1(v) = t if M(t) = f(v)
![Page 187: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/187.jpg)
F
x1: f(x1) < 0,
f(a) = 1,
f(b) = -1
F0
f(a) = 1,
f(b) = -1
M
a2, b3
f x. if(x = 2, 1, -1)
Model Checking x1: f(x1) < 0
not if(s1= 2, 1, -1) < 0
s1 2
f-1(2) = a
F1
f(a) = 1,
f(b) = -1
f(a) < 0
unsat
![Page 188: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/188.jpg)
Is our procedure refutationally complete?
FOL CompactnessA set of sentences is unsatisfiable
iff
it contains an unsatisfiable finite subset.
A theory T is a set of sentences, then
apply compactness to F*T
![Page 189: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/189.jpg)
F
x1: f(x1) < f(f(x1)),
x1: f(x1) < a,
1 < f(0).
F*
f(0) < f(f(0)), f(f(0)) < f(f(f(0))), …
f(0) < a, f(f(0)) < a, …
1 < f(0)Every finite subset
of F* is satisfiable.
Unsatisfiable
![Page 190: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/190.jpg)
Theory of linear arithmetic TZ is the set of all first-order sentences that are true in the standard structure Z.
Tz has non-standard models.
F and F* are satisfiable in a non-standard model.
Alternative: a theory is a class of structures.
Compactness does not hold.
F and F* are still equisatisfiable.
![Page 191: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/191.jpg)
Given a clause Ck[x1, …, xn]
Let
Sk,i be the set of ground terms used to instantiate xi in clause Ck[x1, …, xn]
How to characterize Sk,i?
Fj-th argument of f in Ck
F
system of set constraints
a ground term t t Af,j
t[x1, …, xn] t[Sk,1, …, Sk,n] Af,j
xi Sk,i = Af,j
![Page 192: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/192.jpg)
g(x1, x2) = 0 h(x2) = 0,g(f(x1),b) + 1 f(x1),h(c) = 1,f(a) = 0
F
S1,1 = Ag,1, S1,2 = Ag,2, S1,2 = Ah,1
S2,1 = Af,1, f(S2,1) Ag,1, b Ag,2
c Ah,1
a Af,1
F
S1,1 = { f(a) }, S1,2 = { b, c }S2,1 = { a }
F: least solution
Use F to generate F*
![Page 193: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/193.jpg)
F is stratified then the least solution (and F*) is finite
New decidable fragment: NEXPTIME-Hard.
The least solution of F is exponential in the worst case.
aS1, bS1, f1(S1, S1) S2, …, fn(Sn, Sn) Sn+1
F* can be doubly exponential in the size of F.
t[Sk,1, …, Sk,n] Af,j level(Sk,i) < level(Af,j)
Sk,i = Af,j level(Sk,i) = level(Af,j)
![Page 194: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/194.jpg)
Arithmetical literals: f must be monotonic.
Offsets:
Literal of Ck F
(xi xj) Sk,i = Sk,j
(xi t), (txi) t Sk,i
xi = t {t+1, t-1} Sk,i
j-th argument of f in Ck F
xi + r Sk,i+r Af,j
Af,j+(-r) Sk,i
![Page 195: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/195.jpg)
Shifting
(0 x1) (x1 n) f(x1) = g(x1+2)
![Page 196: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/196.jpg)
Many-sorted logic
Pseudo-Macros
0 g(x1) f(g(x1)) = x1,0 g(x1) h(g(x1)) = 2x1,g(a) < 0
![Page 197: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/197.jpg)
![Page 198: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/198.jpg)
Bradley & Manna: The Calculus of Computation
Kroening & Strichman: Decision Procedures, An Algorithmic Point of View
Chapter in the Handbook of Satisfiability
![Page 199: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/199.jpg)
![Page 200: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/200.jpg)
![Page 201: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/201.jpg)
![Page 202: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/202.jpg)
![Page 203: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/203.jpg)
![Page 204: Leonardo de Moura Microsoft Research · 2021. 8. 10. · Very useful in practice! Most arithmetical constraints in software verification/analysis are in this fragment. x := x + 1](https://reader035.vdocuments.us/reader035/viewer/2022071610/6149fa9b12c9616cbc691d9c/html5/thumbnails/204.jpg)