Satisfiability Modulo Theories(An introduction)

Magnus Madsen

Todays Talk

What are SMT solvers?

How are they used in practice?

Motivation

Find and s.t.:

Solution

Knowledge of prop. logic

Knowledge of integers Knowledge of

integers

What is SMT?

Satisfiability Modulo Theories

+

What is a SMT instance?

A logical formula built using– negation, conjunction and disjuction• e.g. • e.g.

– theory specific operators• e.g. , • e.g. • e.g.

k-SAT

theory of integers

theory of bitwise

operators

theory of uninterpreted

functions

Recall k-SAT

The Boolean SATisfiability Problem:

• 2SAT is solveable in polynomial time• 3SAT is NP-complete (solveable in exponential

time)

clause literal or negated literal

Q: Why not encode every

formula in SAT?A: Theory

solvers have very efficient

algorithmsGraph Problems:• Shortest-Path• Minimum Spanning Tree

Optimization:• Max-Flow• Linear Programming

(just to name a few)

Q: But then, Why not get rid

of the SAT solver?

A: SAT solvers are very good at

case analysis

SAT Theory

Formula

NO

YES

𝑥≥3∧ (𝑥≤0∨ 𝑦 ≥0 )

𝑎∧ (𝑏∨𝑐 )

𝑎∧𝑏

NO

add clause:

𝑎∧𝑐

𝑥≥3∧𝑥≤0𝑥≥3∧ 𝑦 ≥0

YES

SMT Solver

Important Properties

• Efficiency of both SAT and Theory solver!• SAT Solver– Incremental (supports adding new clauses)

• Theory Solver– Ability to construct blocking clauses– Ability to create so-called "theory lemmas"

Theories

Theory of:– Difference Arithemetic– Linear Arithmetic– Arrays– Bit Vectors– Algebraic Datatypes– Uninterpreted Functions

SMT-LIB

• A modeling language for SMT instances– A declarative language with Lisp-like syntax– Defines common/shared terminology• e.g. LRA = Closed linear formulas in linear real

arithmetic• e.g. QF_BC = Closed quantifier-free formulas over the

theory of fixed-size bitvectors.

– http://www.smtlib.org/

Example 1

Solution

𝒙=𝟑∧𝒚=𝟎

Example 2

Applications

• Dynamic Symbolic Execution• Program Verification• Extended Static Checking• Model Checking• Termination Analysis

See Also: Tapas: Theory Combinations and Practical Applications

Dynamic Symbolic Execution

• combines dynamic and symbolic execution– step 1: execute the program recording the

branches taken and their symbolic constraints– step 2: negate one constraint– step 3: solve the constraints to generate new input

to the program (e.g. by using a SMT solver)– step 4: if a solution exists then execute the

program on the new input

Program Path¬𝑐1

𝑐2

¬𝑐3

𝑐4

Negate

Run SMT Solver

New Program Path¬𝑐1

𝑐2

𝑐3

𝑐5

Example: Greatest Common Divisor

Original programint gcd(int x, int y) { while (true) { int m = x % y; if (m == 0) return y; x = y; y = m; }}

int result = gcd(2, 4)

SSA unfoldingint gcd(int x0, int y0) {

while (true) { int m0 = x0 % y0;

assert(m0 != 0)

if (m0 == 0) return y0;

x1 = y0;

y1 = m0;

int m1 = x1 % y1;

assert(m1 == 0)

if (m1 == 0) return y1;

}}

Collecting Constraints

Collected constraintsint result = gcd(2, 4)

(assert (= m0 (mod x0 y0)))(assert (not (= m0 0)))

(assert (= x1 y0))(assert (= y1 m0))(assert (= m1 (mod x1 y1)))(assert (= m1 0))

SSA unfoldingint gcd(int x0, int y0) {

while (true) { int m0 = x0 % y0;

assert(m0 != 0)

if (m0 == 0) return y0;

x1 = y0;

y1 = m0;

int m1 = x1 % y1;

assert(m1 == 1)

if (m1 == 0) return y1;

}}

(assert (not (= m1 0)))

Computing a new pathint gcd(int x, int y) { while (true) { int m = x % y; if (m == 0) return y; x = y; y = m; }}

Solution:x = 2 and y = 3

Iteration 1: x = 2 & y = 3Iteration 2: x = 3 & y = 2Iteration 3: x = 2 & y = 1

Program Verificationint binary_search(int[] arr, int low, int height, int key) { assert(low > high || 0 <= < high); while (low <= high) { // Find middle value int mid = (low + high) / 2; assert(0 <= mid < high); int val = arr[mid]; // Refine range if (key == val) return mid; if (val > key) low = mid + 1; else high = mid – 1; } return -1;}

Assertion Violation:

low = 230, high = 230+1

SMT Solvers

• Z3– Microsoft Research

• MathSAT5– University of Trento

• CVC4 – New York University

• Many more

SMT-COMP

• A yearly competition between SMT solvers

Z3

Research Directions in SMT

• Improving the efficiency of SAT/Theory solvers• Improving the interplay between the SAT

solver and the theory solver– e.g. "online" solvers (partial truth assignment)

• Developing solvers for new theories• Combining different theories

With Thanks to Evan Driscoll

References

• Satisfiability Modulo Theories: Introduction and Applications– Leonardo De Moura & Nikolaj Bjørner

• Tapas: Theory Combinations and Practical Applications– Leonardo De Moura & Nikolaj Bjørner

• Z3 Tutorial Guide– http://rise4fun.com/z3/tutorial/guide

Summary

Satisfiability Modulo Theory (SMT):– constraint systems involving SAT + Theory

SMT solvers combine the best of:– SAT solvers and theory solvers

SMTs have applications in program analysis

More Work To Be Done?