Decision Procedures and Verifjcation NAIL094 Petr Kuera Charles - - PowerPoint PPT Presentation

Decision Procedures and Verifjcation

NAIL094 Petr Kučera

Charles University

2019/20 (6th lecture)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 1 / 42

Satisfjability Modulo Theories (SMT)

Propositional Satisfjability

We know how to decide if a propositional formula is satisfjable [(x1 ∧ x2 → x3) ∧ (x2 ∨ ¬x4) ∧ (x3 ↔ x2)] → (x1 ∨ x3 ∨ x4)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 3 / 42

Satisfjability Modulo Theories

Satisfjability Modulo Theories (SMT)

Check satisfjability of quantifjer-free fjrst-order logic theories Examples: Real numbers with equality Linear arithmetic Formula over arrays

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 4 / 42

Satisfjability Modulo Theories

Satisfjability Modulo Theories (SMT)

Check satisfjability of quantifjer-free fjrst-order logic theories Examples: Real numbers with equality (x1 = x2 ∨ x2 = x3) ∧ (x1 = x2 ∨ x1 = x4) ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Linear arithmetic Formula over arrays

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 4 / 42

Satisfjability Modulo Theories

Satisfjability Modulo Theories (SMT)

Check satisfjability of quantifjer-free fjrst-order logic theories Examples: Real numbers with equality (x1 = x2 ∨ x2 = x3) ∧ (x1 = x2 ∨ x1 = x4) ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Linear arithmetic ((x1 + 2x3 < 5) ∨ ¬(x3 ≤ 1) ∧ (x1 ≥ 3)) Formula over arrays

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 4 / 42

Satisfjability Modulo Theories

Satisfjability Modulo Theories (SMT)

Check satisfjability of quantifjer-free fjrst-order logic theories Examples: Real numbers with equality (x1 = x2 ∨ x2 = x3) ∧ (x1 = x2 ∨ x1 = x4) ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Linear arithmetic ((x1 + 2x3 < 5) ∨ ¬(x3 ≤ 1) ∧ (x1 ≥ 3)) Formula over arrays ((i = j) ∧ a[j] = 1) ∧ ¬(a[i] = 1)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 4 / 42

SMT-LIB Logics

Image source: http://smtlib.cs.uiowa.edu/logics.shtml Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 5 / 42

First-Order Logic

First-order logic is based on Variables a set of variables Logical symbols connectives (e.g. ¬, ∧, ∨), quantifjers (∃, ∀), parentheses Signature set of function, predicate, and constant symbols Syntax describes how to write a well formed formula (with given signature)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 6 / 42

Examples of Signatures

Equality logic (=) single binary predicate = derived inequality predicate ≠ Linear arithmetic (0, 1, +, −, =, <, ≤) Two constants (functions of arity 0): 0, 1 Two binary functions: +, − Binary predicates =, <, ≤

Derived predicates >, ≥

Arrays (read, write) Binary function read(a, i)

usually written as a[i]

Ternary function write(a, i, v)

updated array denoted as a{i ← v}

Combined with other theories (equality, linear arithmetic, …)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 7 / 42

Examples of Signatures

Equality logic (=) single binary predicate = derived inequality predicate ≠ Linear arithmetic (0, 1, +, −, =, <, ≤) Two constants (functions of arity 0): 0, 1 Two binary functions: +, − Binary predicates =, <, ≤

Derived predicates >, ≥

Arrays (read, write) Binary function read(a, i)

usually written as a[i]

Ternary function write(a, i, v)

updated array denoted as a{i ← v}

Combined with other theories (equality, linear arithmetic, …)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 7 / 42

Examples of Signatures

Equality logic (=) single binary predicate = derived inequality predicate ≠ Linear arithmetic (0, 1, +, −, =, <, ≤) Two constants (functions of arity 0): 0, 1 Two binary functions: +, − Binary predicates =, <, ≤

Derived predicates >, ≥

Arrays (read, write) Binary function read(a, i)

usually written as a[i]

Ternary function write(a, i, v)

updated array denoted as a{i ← v}

Combined with other theories (equality, linear arithmetic, …)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 7 / 42

Σ-Literals

Σ-Atomic formula is defjned only using symbols in the signature Σ Σ-literal is a Σ-atomic formula or its negation Equality logic x1 = x2 ¬(x2 = x4) (or simply x2 ≠ x4) Linear arithmetic x1 > 0 2x2 − x5 = x1 + 2x4 3x5 ≤ 2x4 Arrays + Linear Arithmetic a[0] = 5 a{i ← v}[i] = v

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 8 / 42

Σ-Literals

Σ-Atomic formula is defjned only using symbols in the signature Σ Σ-literal is a Σ-atomic formula or its negation Equality logic x1 = x2 ¬(x2 = x4) (or simply x2 ≠ x4) Linear arithmetic x1 > 0 2x2 − x5 = x1 + 2x4 3x5 ≤ 2x4 Arrays + Linear Arithmetic a[0] = 5 a{i ← v}[i] = v

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 8 / 42

Σ-Literals

Σ-Atomic formula is defjned only using symbols in the signature Σ Σ-literal is a Σ-atomic formula or its negation Equality logic x1 = x2 ¬(x2 = x4) (or simply x2 ≠ x4) Linear arithmetic x1 > 0 2x2 − x5 = x1 + 2x4 3x5 ≤ 2x4 Arrays + Linear Arithmetic a[0] = 5 a{i ← v}[i] = v

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 8 / 42

Σ-Literals

Σ-Atomic formula is defjned only using symbols in the signature Σ Σ-literal is a Σ-atomic formula or its negation Equality logic x1 = x2 ¬(x2 = x4) (or simply x2 ≠ x4) Linear arithmetic x1 > 0 2x2 − x5 = x1 + 2x4 3x5 ≤ 2x4 Arrays + Linear Arithmetic a[0] = 5 a{i ← v}[i] = v

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 8 / 42

Interpretation

Is the following formula true in natural numbers ? ϕ = (∃x)[x + 0 = 1] Depends on the interpretation of the signature Interpretation of signature consists of

A domain Interpretation of the symbols in

defjnes semantic of functions, predicates, constants

An assignment of a domain element to each of the free (unquantifjed) variables

Formula is satisfjable there is a structure under which is true.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 9 / 42

Interpretation

Is the following formula true in natural numbers ? ϕ = (∃x)[x + 0 = 1] Depends on the interpretation of the signature (0, 1, +, =) Interpretation of signature consists of

A domain Interpretation of the symbols in

defjnes semantic of functions, predicates, constants

An assignment of a domain element to each of the free (unquantifjed) variables

Formula is satisfjable there is a structure under which is true.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 9 / 42

Interpretation

Is the following formula true in natural numbers ? ϕ = (∃x)[x + 0 = 1] Depends on the interpretation of the signature (0, 1, +, =) Interpretation of signature Σ consists of

A domain Interpretation of the symbols in

defjnes semantic of functions, predicates, constants

An assignment of a domain element to each of the free (unquantifjed) variables

Formula is satisfjable there is a structure under which is true.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 9 / 42

Interpretation

Is the following formula true in natural numbers ? ϕ = (∃x)[x + 0 = 1] Depends on the interpretation of the signature (0, 1, +, =) Interpretation of signature Σ consists of

A domain Interpretation of the symbols in

defjnes semantic of functions, predicates, constants

An assignment of a domain element to each of the free (unquantifjed) variables

Formula is satisfjable there is a structure under which is true.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 9 / 42

Interpretation

Is the following formula true in natural numbers ? ϕ = (∃x)[x + 0 = 1] Depends on the interpretation of the signature (0, 1, +, =) Interpretation of signature Σ consists of

A domain Interpretation of the symbols in Σ

defjnes semantic of functions, predicates, constants

An assignment of a domain element to each of the free (unquantifjed) variables

Formula is satisfjable there is a structure under which is true.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 9 / 42

Interpretation

Is the following formula true in natural numbers ? ϕ = (∃x)[x + 0 = 1] Depends on the interpretation of the signature (0, 1, +, =) Interpretation of signature Σ consists of

A domain Interpretation of the symbols in Σ

defjnes semantic of functions, predicates, constants

An assignment of a domain element to each of the free (unquantifjed) variables

Formula is satisfjable there is a structure under which is true.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 9 / 42

Interpretation

Is the following formula true in natural numbers ? ϕ = (∃x)[x + 0 = 1] Depends on the interpretation of the signature (0, 1, +, =) Interpretation of signature Σ consists of

A domain Interpretation of the symbols in Σ

defjnes semantic of functions, predicates, constants

An assignment of a domain element to each of the free (unquantifjed) variables

Formula is satisfjable there is a structure under which is true.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 9 / 42

Interpretation

Is the following formula true in natural numbers ? ϕ = (∃x)[x + 0 = 1] Depends on the interpretation of the signature (0, 1, +, =) Interpretation of signature Σ consists of

A domain Interpretation of the symbols in Σ

defjnes semantic of functions, predicates, constants

An assignment of a domain element to each of the free (unquantifjed) variables

Formula is satisfjable there is a structure under which is true.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 9 / 42

Interpretation

Is the following formula true in natural numbers ? ϕ = (∃x)[x + 0 = 1] Depends on the interpretation of the signature (0, 1, +, =) Interpretation of signature Σ consists of

A domain Interpretation of the symbols in Σ

defjnes semantic of functions, predicates, constants

An assignment of a domain element to each of the free (unquantifjed) variables

Formula ϕ is satisfjable ⇔ there is a structure under which ϕ is true.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 9 / 42

Theory

Assume signature Σ. Σ-theory T puts restrictions on interpretations of symbols in Σ. Restricts the structures which are consistent with the theory

• theory

consists of

• sentences
• sentence —
• formula without free variables

all variables are quantifjed

• theory is usually specifjed with a set of axioms from which

remaining sentences of can be derived by inference rules

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 10 / 42

Theory

Assume signature Σ. Σ-theory T puts restrictions on interpretations of symbols in Σ. Restricts the structures which are consistent with the theory Σ-theory T consists of Σ-sentences Σ-sentence — Σ-formula without free variables

all variables are quantifjed

Σ-theory is usually specifjed with a set of axioms from which remaining sentences of T can be derived by inference rules

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 10 / 42

Theory

Assume signature Σ. Σ-theory T puts restrictions on interpretations of symbols in Σ. Restricts the structures which are consistent with the theory Σ-theory T consists of Σ-sentences Σ-sentence — Σ-formula without free variables

all variables are quantifjed

Σ-theory is usually specifjed with a set of axioms from which remaining sentences of T can be derived by inference rules

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 10 / 42

Theory

Assume signature Σ. Σ-theory T puts restrictions on interpretations of symbols in Σ. Restricts the structures which are consistent with the theory Σ-theory T consists of Σ-sentences Σ-sentence — Σ-formula without free variables

all variables are quantifjed

Σ-theory is usually specifjed with a set of axioms from which remaining sentences of T can be derived by inference rules

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 10 / 42

T-Satisfjability and T-Validity

Assume signature Σ and Σ-theory T

Defjnition (T-satisfjability and validity)

A formula ϕ is T-satisfjable if there exists an interpretation which satisfjes both the formula ϕ and the sentences of T A formula ϕ is T-valid if every interpretation which satisfjes the sentences of T also satisfjes ϕ

Example

Consider formula in theory T of linear arithmetic

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 11 / 42

T-Satisfjability and T-Validity

Assume signature Σ and Σ-theory T

Defjnition (T-satisfjability and validity)

A formula ϕ is T-satisfjable if there exists an interpretation which satisfjes both the formula ϕ and the sentences of T A formula ϕ is T-valid if every interpretation which satisfjes the sentences of T also satisfjes ϕ

Example

Consider formula in theory T of linear arithmetic ϕ = ( (x ≤ 5) ∨ (x > y) ) ∧ ( (x > 5) ∨ (x < y) )

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 11 / 42

T-Satisfjability and T-Validity

Assume signature Σ and Σ-theory T

Defjnition (T-satisfjability and validity)

A formula ϕ is T-satisfjable if there exists an interpretation which satisfjes both the formula ϕ and the sentences of T A formula ϕ is T-valid if every interpretation which satisfjes the sentences of T also satisfjes ϕ

Example

Consider formula in theory T of linear arithmetic ϕ = ( (x ≤ 5) ∨ (x > y) ) ∧ ( (x > 5) ∨ (x < y) ) ϕ is T-satisfjable (e.g. set x = 4, y = 5) ϕ is not T-valid

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 11 / 42

T-Satisfjability and T-Validity

Assume signature Σ and Σ-theory T

Defjnition (T-satisfjability and validity)

A formula ϕ is T-satisfjable if there exists an interpretation which satisfjes both the formula ϕ and the sentences of T A formula ϕ is T-valid if every interpretation which satisfjes the sentences of T also satisfjes ϕ

Example

Consider formula in theory T of linear arithmetic ϕ = (x < y) ∧ (y < z) ∧ (z < x) ϕ is not T-satisfjable …nor it is T-valid

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 11 / 42

T-Satisfjability and T-Validity

Assume signature Σ and Σ-theory T

Defjnition (T-satisfjability and validity)

A formula ϕ is T-satisfjable if there exists an interpretation which satisfjes both the formula ϕ and the sentences of T A formula ϕ is T-valid if every interpretation which satisfjes the sentences of T also satisfjes ϕ

Example

Consider formula in theory T of linear arithmetic (∀x)(∀y)(∀z)[x < y ∧ y < z → x < z] ϕ is a T-valid Σ-sentence

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 11 / 42

T-Satisfjability and T-Validity

Assume signature Σ and Σ-theory T

Defjnition (T-satisfjability and validity)

A formula ϕ is T-satisfjable if there exists an interpretation which satisfjes both the formula ϕ and the sentences of T A formula ϕ is T-valid if every interpretation which satisfjes the sentences of T also satisfjes ϕ

Example

Consider formula in theory T of linear arithmetic ϕ = (x ≤ x) ∧ ¬(x < x) ϕ is T-valid

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 11 / 42

Equality

Assume a theory T which contains the following axioms of equality (∀x)[x = x] refmexivity (∀x)(∀y)[x = y → y = x] symmetry (∀x)(∀y)(∀z)[x = y ∧ y = z → x = z] transitivity Then the following is a

• valid sentence

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 12 / 42

Equality

Assume a theory T which contains the following axioms of equality (∀x)[x = x] refmexivity (∀x)(∀y)[x = y → y = x] symmetry (∀x)(∀y)(∀z)[x = y ∧ y = z → x = z] transitivity Then the following is a T-valid sentence (∀x)(∀y)(∀z)[(((x = y) ∧ ¬(y = z)) → ¬(x = z))]

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 12 / 42

Problem to be Solved

Assume a signature Σ and a Σ-theory T SMT solvers aim to solve the following problem T-Satisfiability Instance: A quantifjer-free Σ-formula ϕ Question: Is ϕ a T-satisfjable formula?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 13 / 42

Conjunctive Fragment

Conjunctive fragment

Conjunctive fragment of theory T with signature Σ consists of formulas that are conjunctions of Σ-literals. Assume a fjxed signature Σ and a Σ-theory T Decision procedure DPT for the conjunctive fragment T

takes a conjunction ψ of Σ-literals as the input, decides if ψ is T-satisfjable, possibly returns a model (satisfying interpretation)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 14 / 42

Example: Decision procedure for the theory of equality

Assume a conjunction ϕ of Σ-literals of form x = y and x ≠ y

Defjnition (Equality graph)

Equality graph for a formula ϕ is an undirected graph G(V, E=, E≠) where The nodes in V correspond to variables in ϕ Edge {x, y} ∈ E= if and only if ϕ contains Σ-literal x = y Edge {x, y} ∈ E≠ if and only if ϕ contains Σ-literal x ≠ y.

Decision procedure

is

• unsatisfjable if and only if there exists an inequality edge

such that there is a path from to using only edges in .

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 15 / 42

Example: Decision procedure for the theory of equality

Assume a conjunction ϕ of Σ-literals of form x = y and x ≠ y

Defjnition (Equality graph)

Equality graph for a formula ϕ is an undirected graph G(V, E=, E≠) where The nodes in V correspond to variables in ϕ Edge {x, y} ∈ E= if and only if ϕ contains Σ-literal x = y Edge {x, y} ∈ E≠ if and only if ϕ contains Σ-literal x ≠ y.

Decision procedure

ϕ is T-unsatisfjable if and only if there exists an inequality edge {x, y} ∈ E≠ such that there is a path from x to y using only edges in {x, y} ∈ E=.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 15 / 42

Example: Decision procedure for the theory of equality

ϕ = (x1 ≠ x2) ∧ (x2 = x3) ∧ (x3 = x4) ∧ (x4 = x1) Formula is

• unsatisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 16 / 42

Example: Decision procedure for the theory of equality

ϕ = (x1 ≠ x2) ∧ (x2 = x3) ∧ (x3 = x4) ∧ (x4 = x1) x1 x2 x3 x4

x1 ≠ x2 x2 = x3 x3 = x4 x4 = x1

Formula is

• unsatisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 16 / 42

Example: Decision procedure for the theory of equality

ϕ = (x1 ≠ x2) ∧ (x2 = x3) ∧ (x3 = x4) ∧ (x4 = x1) x1 x2 x3 x4

x1 ≠ x2 x2 = x3 x3 = x4 x4 = x1

Formula ϕ is T-unsatisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 16 / 42

Case Splitting

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Checking T-satisfjability of ϕ can be split into the following four cases

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 17 / 42

Case Splitting — Case 1

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Case 1 ϕ1 =

↓

x1 = x2 ∧ x1 = x2 ∧

↓

x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Formula is not

• satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 18 / 42

Case Splitting — Case 1

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Case 1 ϕ1 =

↓

x1 = x2 ∧ x1 = x2 ∧

↓

x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Formula ϕ1 is not T-satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 18 / 42

Case Splitting — Case 2

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Case 2 ϕ2 =

↓

x1 = x2 ∧ x1 = x4 ∧

↓

x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Formula is not

• satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 19 / 42

Case Splitting — Case 2

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Case 2 ϕ2 =

↓

x1 = x2 ∧ x1 = x4 ∧

↓

x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Formula ϕ2 is not T-satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 19 / 42

Case Splitting — Case 3

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Case 3 ϕ3 = x1 = x3 ∧

↓

x1 = x2 ∧

↓

x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Formula is not

• satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 20 / 42

Case Splitting — Case 3

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Case 3 ϕ3 = x1 = x3 ∧

↓

x1 = x2 ∧

↓

x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Formula ϕ3 is not T-satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 20 / 42

Case Splitting — Case 4

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Case 4 ϕ4 =

↓

x1 = x3 ∧ x1 = x4 ∧ x1 ≠ x2 ∧

↓

x1 ≠ x3 ∧ x1 ≠ x4 Formula is not

• satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 21 / 42

Case Splitting — Case 4

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Case 4 ϕ4 =

↓

x1 = x3 ∧ x1 = x4 ∧ x1 ≠ x2 ∧

↓

x1 ≠ x3 ∧ x1 ≠ x4 Formula ϕ4 is not T-satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 21 / 42

Case Splitting

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Checking T-satisfjability of ϕ can be split into the following four cases

1 x1 = x2 ∧ x1 = x2 ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 2 x1 = x2 ∧ x1 = x4 ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 3 x1 = x3 ∧ x1 = x2 ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 4 x1 = x3 ∧ x1 = x4 ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4

None of these cases is

• satisfjable, hence

is not

• satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 22 / 42

Case Splitting

Consider formula ϕ defjned as ( x1 = x2 ∨ x1 = x3 )∧( x1 = x2 ∨ x1 = x4 )∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 Checking T-satisfjability of ϕ can be split into the following four cases

1 x1 = x2 ∧ x1 = x2 ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 2 x1 = x2 ∧ x1 = x4 ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 3 x1 = x3 ∧ x1 = x2 ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4 4 x1 = x3 ∧ x1 = x4 ∧ x1 ≠ x2 ∧ x1 ≠ x3 ∧ x1 ≠ x4

None of these cases is T-satisfjable, hence ϕ is not T-satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 22 / 42

Case Splitting

Case splitting is ineffjcient Number of cases can be exponential in the size of the original formula Does not exploit the learning capabilities of CDCL solvers

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 23 / 42

SMT Approach — Idea

Utilize the learning capabilities of SAT

Combination of and a SAT solver SAT solver fjnds a partial assignment satisfying the boolean structure of the formula checks if the conjunction of the corresponding

• literals in the

partial assignment is

• satisfjable.

Modular (and effjcient) solution

Avoids explicit case splitting

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 24 / 42

SMT Approach — Idea

Utilize the learning capabilities of SAT

Combination of DPT and a SAT solver SAT solver fjnds a partial assignment satisfying the boolean structure of the formula checks if the conjunction of the corresponding

• literals in the

partial assignment is

• satisfjable.

Modular (and effjcient) solution

Avoids explicit case splitting

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 24 / 42

SMT Approach — Idea

Utilize the learning capabilities of SAT

Combination of DPT and a SAT solver SAT solver fjnds a partial assignment satisfying the boolean structure of the formula checks if the conjunction of the corresponding

• literals in the

partial assignment is

• satisfjable.

Modular (and effjcient) solution

Avoids explicit case splitting

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 24 / 42

SMT Approach — Idea

Utilize the learning capabilities of SAT

Combination of DPT and a SAT solver SAT solver fjnds a partial assignment satisfying the boolean structure of the formula DPT checks if the conjunction of the corresponding Σ-literals in the partial assignment is T-satisfjable.

Modular (and effjcient) solution

Avoids explicit case splitting

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 24 / 42

SMT Approach — Idea

Utilize the learning capabilities of SAT

Combination of DPT and a SAT solver SAT solver fjnds a partial assignment satisfying the boolean structure of the formula DPT checks if the conjunction of the corresponding Σ-literals in the partial assignment is T-satisfjable.

Modular (and effjcient) solution

Avoids explicit case splitting

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 24 / 42

SMT Approach — Idea

Utilize the learning capabilities of SAT

Combination of DPT and a SAT solver SAT solver fjnds a partial assignment satisfying the boolean structure of the formula DPT checks if the conjunction of the corresponding Σ-literals in the partial assignment is T-satisfjable.

Modular (and effjcient) solution

Avoids explicit case splitting

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 24 / 42

Propositional Skeleton

Boolean encoder of an atom a is a unique boolean variable e(a). Propositional skeleton of a formula ϕ is denoted as e(ϕ) and is the result of replacing each atom with its boolean encoder.

Example

The encoder of atom is The encoder of atom is The propositional skeleton of formula is defjned as

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 25 / 42

Propositional Skeleton

Boolean encoder of an atom a is a unique boolean variable e(a). Propositional skeleton of a formula ϕ is denoted as e(ϕ) and is the result of replacing each atom with its boolean encoder.

Example

The encoder of atom x = y is e(x = y) The encoder of atom is The propositional skeleton of formula is defjned as

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 25 / 42

Propositional Skeleton

Boolean encoder of an atom a is a unique boolean variable e(a). Propositional skeleton of a formula ϕ is denoted as e(ϕ) and is the result of replacing each atom with its boolean encoder.

Example

The encoder of atom x = y is e(x = y) The encoder of atom x = z is e(x = z) The propositional skeleton of formula is defjned as

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 25 / 42

Propositional Skeleton

Boolean encoder of an atom a is a unique boolean variable e(a). Propositional skeleton of a formula ϕ is denoted as e(ϕ) and is the result of replacing each atom with its boolean encoder.

Example

The encoder of atom x = y is e(x = y) The encoder of atom x = z is e(x = z) The propositional skeleton of formula ϕ = (x = y) ∨ (x = z) is defjned as e(ϕ) = e(x = y) ∨ e(x = z)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 25 / 42

Integrating a SAT Solver With DPT

Assume a NNF formula ϕ = (x = y) ∧ ((y = z ∧ ¬(x = z)) ∨ (x = z)) Compute the propositional skeleton of Set initial propositional formula

SAT solver will be iteratively called with

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 26 / 42

Integrating a SAT Solver With DPT

Assume a NNF formula ϕ = (x = y) ∧ ((y = z ∧ ¬(x = z)) ∨ (x = z)) Compute the propositional skeleton of ϕ e(ϕ) = e(x = y) ∧ ((e(y = z) ∧ ¬e(x = z)) ∨ e(x = z)) Set initial propositional formula

SAT solver will be iteratively called with

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 26 / 42

Integrating a SAT Solver With DPT

Assume a NNF formula ϕ = (x = y) ∧ ((y = z ∧ ¬(x = z)) ∨ (x = z)) Compute the propositional skeleton of ϕ e(ϕ) = e(x = y) ∧ ((e(y = z) ∧ ¬e(x = z)) ∨ e(x = z)) Set initial propositional formula B = e(ϕ)

SAT solver will be iteratively called with B

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 26 / 42

Integrating a SAT Solver With DPT

B = e(x = y) ∧ (( e(y = z) ∧ ¬e(x = z) ) ∨ e(x = z) ) Run a SAT solver on B Assume it returned a satisfying assignment: Run

• n conjunction

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 27 / 42

Integrating a SAT Solver With DPT

B = e(x = y) ∧ (( e(y = z) ∧ ¬e(x = z) ) ∨ e(x = z) ) Run a SAT solver on B Assume it returned a satisfying assignment: α = {e(x = y), e(y = z), ¬e(x = z)} Run

• n conjunction

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 27 / 42

Integrating a SAT Solver With DPT

B = e(x = y) ∧ (( e(y = z) ∧ ¬e(x = z) ) ∨ e(x = z) ) Run a SAT solver on B Assume it returned a satisfying assignment: α = {e(x = y), e(y = z), ¬e(x = z)} Run DPT on conjunction ̂ Th(α) = (x = y) ∧ (y = z) ∧ ¬(x = z)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 27 / 42

Integrating a SAT Solver With DPT

̂ Th(α) = (x = y) ∧ (y = z) ∧ ¬(x = z) declares unsatisfjable Extend by adding clause blocking assignment

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 28 / 42

Integrating a SAT Solver With DPT

̂ Th(α) = (x = y) ∧ (y = z) ∧ ¬(x = z) x y z

x ≠ z x = y y = z

declares unsatisfjable Extend by adding clause blocking assignment

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 28 / 42

Integrating a SAT Solver With DPT

̂ Th(α) = (x = y) ∧ (y = z) ∧ ¬(x = z) x y z

x ≠ z x = y y = z

DPT declares ̂ Th(α) unsatisfjable Extend by adding clause blocking assignment

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 28 / 42

Integrating a SAT Solver With DPT

̂ Th(α) = (x = y) ∧ (y = z) ∧ ¬(x = z) x y z

x ≠ z x = y y = z

DPT declares ̂ Th(α) unsatisfjable Extend B by adding clause ¬̂ Th(α) blocking assignment α B ← B ∧ (¬e(x = y) ∨ ¬e(y = z) ∨ e(x = z))

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 28 / 42

Integrating a SAT Solver With DPT

B = e(x = y) ∧ (( e(y = z) ∧ ¬e(x = z) ) ∨ e(x = z) ) ∧ ( ¬e(x = y) ∨ ¬e(y = z) ∨ e(x = z) ) Run a SAT solver on B Assume it returned a satisfying assignment Run

• n conjunction

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 29 / 42

Integrating a SAT Solver With DPT

B = e(x = y) ∧ (( e(y = z) ∧ ¬e(x = z) ) ∨ e(x = z) ) ∧ ( ¬e(x = y) ∨ ¬e(y = z) ∨ e(x = z) ) Run a SAT solver on B Assume it returned a satisfying assignment α = {e(x = y), e(y = z), e(x = z)} Run

• n conjunction

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 29 / 42

Integrating a SAT Solver With DPT

B = e(x = y) ∧ (( e(y = z) ∧ ¬e(x = z) ) ∨ e(x = z) ) ∧ ( ¬e(x = y) ∨ ¬e(y = z) ∨ e(x = z) ) Run a SAT solver on B Assume it returned a satisfying assignment α = {e(x = y), e(y = z), e(x = z)} Run DPT on conjunction ̂ Th(α) = (x = y) ∧ (y = z) ∧ (x = z)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 29 / 42

Integrating a SAT Solver With DPT

̂ Th(α) = (x = y) ∧ (y = z) ∧ (x = z) declares satisfjable The original formula is

• satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 30 / 42

Integrating a SAT Solver With DPT

̂ Th(α) = (x = y) ∧ (y = z) ∧ (x = z) x y z

x = z x = y y = z

declares satisfjable The original formula is

• satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 30 / 42

Integrating a SAT Solver With DPT

̂ Th(α) = (x = y) ∧ (y = z) ∧ (x = z) x y z

x = z x = y y = z

DPT declares ̂ Th(α) satisfjable The original formula is

• satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 30 / 42

Integrating a SAT Solver With DPT

̂ Th(α) = (x = y) ∧ (y = z) ∧ (x = z) x y z

x = z x = y y = z

DPT declares ̂ Th(α) satisfjable The original formula ϕ is T-satisfjable

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 30 / 42

Integrating a SAT Solver With DPT

DPT SAT solver α ̂ Th(α) t e(t) SAT solver works with propositional skeleton B

If B is unsatisfjable, then ϕ is T-unsatisfjable If B is satisfjable, satisfying assignment α is passed to DPT as a conjunction ̂ Th(α)

DPT checks T-satisfjability of ̂ Th(α)

If ̂ Th(α) is T-satisfjable, then ϕ is T-satisfjable If ̂ Th(α) is not T-satisfjable, DPT returns blocking clauses t

also called lemma, e.g. t = ¬̂ Th(α)

e(t) is added to B

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 31 / 42

Integrating a SAT Solver With DPT

DPT SAT solver α ̂ Th(α) t e(t) SAT solver works with propositional skeleton B

If B is unsatisfjable, then ϕ is T-unsatisfjable If B is satisfjable, satisfying assignment α is passed to DPT as a conjunction ̂ Th(α)

DPT checks T-satisfjability of ̂ Th(α)

If ̂ Th(α) is T-satisfjable, then ϕ is T-satisfjable If ̂ Th(α) is not T-satisfjable, DPT returns blocking clauses t

also called lemma, e.g. t = ¬̂ Th(α)

e(t) is added to B

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 31 / 42

Integrating a SAT Solver With DPT

DPT SAT solver α ̂ Th(α) t e(t) SAT solver works with propositional skeleton B

If B is unsatisfjable, then ϕ is T-unsatisfjable If B is satisfjable, satisfying assignment α is passed to DPT as a conjunction ̂ Th(α)

DPT checks T-satisfjability of ̂ Th(α)

If ̂ Th(α) is T-satisfjable, then ϕ is T-satisfjable If ̂ Th(α) is not T-satisfjable, DPT returns blocking clauses t

also called lemma, e.g. t = ¬̂ Th(α)

e(t) is added to B

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 31 / 42

Integrating a SAT Solver With DPT

DPT SAT solver α ̂ Th(α) t e(t) SAT solver works with propositional skeleton B

If B is unsatisfjable, then ϕ is T-unsatisfjable If B is satisfjable, satisfying assignment α is passed to DPT as a conjunction ̂ Th(α)

DPT checks T-satisfjability of ̂ Th(α)

If ̂ Th(α) is T-satisfjable, then ϕ is T-satisfjable If ̂ Th(α) is not T-satisfjable, DPT returns blocking clauses t

also called lemma, e.g. t = ¬̂ Th(α)

e(t) is added to B

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 31 / 42

Integrating a SAT Solver With DPT

DPT SAT solver α ̂ Th(α) t e(t) SAT solver works with propositional skeleton B

If B is unsatisfjable, then ϕ is T-unsatisfjable If B is satisfjable, satisfying assignment α is passed to DPT as a conjunction ̂ Th(α)

DPT checks T-satisfjability of ̂ Th(α)

If ̂ Th(α) is T-satisfjable, then ϕ is T-satisfjable If ̂ Th(α) is not T-satisfjable, DPT returns blocking clauses t

also called lemma, e.g. t = ¬̂ Th(α)

e(t) is added to B

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 31 / 42

Integrating a SAT Solver With DPT

DPT SAT solver α ̂ Th(α) t e(t) SAT solver works with propositional skeleton B

If B is unsatisfjable, then ϕ is T-unsatisfjable If B is satisfjable, satisfying assignment α is passed to DPT as a conjunction ̂ Th(α)

DPT checks T-satisfjability of ̂ Th(α)

If ̂ Th(α) is T-satisfjable, then ϕ is T-satisfjable If ̂ Th(α) is not T-satisfjable, DPT returns blocking clauses t

also called lemma, e.g. t = ¬̂ Th(α)

e(t) is added to B

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 31 / 42

Integrating a SAT Solver With DPT

DPT SAT solver α ̂ Th(α) t e(t) SAT solver works with propositional skeleton B

If B is unsatisfjable, then ϕ is T-unsatisfjable If B is satisfjable, satisfying assignment α is passed to DPT as a conjunction ̂ Th(α)

DPT checks T-satisfjability of ̂ Th(α)

If ̂ Th(α) is T-satisfjable, then ϕ is T-satisfjable If ̂ Th(α) is not T-satisfjable, DPT returns blocking clauses t

also called lemma, e.g. t = ¬̂ Th(α)

e(t) is added to B

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 31 / 42

Integrating a SAT Solver With DPT

DPT SAT solver α ̂ Th(α) t e(t) SAT solver works with propositional skeleton B

If B is unsatisfjable, then ϕ is T-unsatisfjable If B is satisfjable, satisfying assignment α is passed to DPT as a conjunction ̂ Th(α)

DPT checks T-satisfjability of ̂ Th(α)

If ̂ Th(α) is T-satisfjable, then ϕ is T-satisfjable If ̂ Th(α) is not T-satisfjable, DPT returns blocking clauses t

also called lemma, e.g. t = ¬̂ Th(α)

e(t) is added to B

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 31 / 42

Integration of a SAT solver and DPT (1)

Function LAZY-BASIC(ϕ) Input: Formula ϕ Output: SAT if ϕ is T-satisfjable, UNSAT if not B ← e(ϕ) while true do (α, r) ← SAT-solver(B) if r = UNSAT then return UNSAT (t,r) ← Deduction(̂ Th(α)) // Calls DPT(α) if r = SAT then return SAT B ← B ∧ e(t)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 32 / 42

Integration of a SAT solver and DPT (2)

Assume Deduction(̂ Th(α)) returns UNSAT and a formula t Formula t should satisfy the following requirements:

1 The formula t is T-valid 2 The atoms in t are restricted to those appearing in ϕ 3 The encoding of t contradicts α, i.e. e(t) is blocking

Requirement 1 guarantees soundness Requirements 2 and 3 guarantee termination The cooperation can be much more effjcient if DPT is integrated directly into the CDCL procedure of the SAT solver

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 33 / 42

Integration of a SAT solver and DPT (2)

Assume Deduction(̂ Th(α)) returns UNSAT and a formula t Formula t should satisfy the following requirements:

1 The formula t is T-valid 2 The atoms in t are restricted to those appearing in ϕ 3 The encoding of t contradicts α, i.e. e(t) is blocking

Requirement 1 guarantees soundness Requirements 2 and 3 guarantee termination The cooperation can be much more effjcient if DPT is integrated directly into the CDCL procedure of the SAT solver

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 33 / 42

Integration of a SAT solver and DPT (2)

Assume Deduction(̂ Th(α)) returns UNSAT and a formula t Formula t should satisfy the following requirements:

1 The formula t is T-valid 2 The atoms in t are restricted to those appearing in ϕ 3 The encoding of t contradicts α, i.e. e(t) is blocking

Requirement 1 guarantees soundness Requirements 2 and 3 guarantee termination The cooperation can be much more effjcient if DPT is integrated directly into the CDCL procedure of the SAT solver

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 33 / 42

Integration of a SAT solver and DPT (2)

Assume Deduction(̂ Th(α)) returns UNSAT and a formula t Formula t should satisfy the following requirements:

1 The formula t is T-valid 2 The atoms in t are restricted to those appearing in ϕ 3 The encoding of t contradicts α, i.e. e(t) is blocking

Requirement 1 guarantees soundness Requirements 2 and 3 guarantee termination The cooperation can be much more effjcient if DPT is integrated directly into the CDCL procedure of the SAT solver

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 33 / 42

Integration of a SAT solver and DPT (2)

Assume Deduction(̂ Th(α)) returns UNSAT and a formula t Formula t should satisfy the following requirements:

1 The formula t is T-valid 2 The atoms in t are restricted to those appearing in ϕ 3 The encoding of t contradicts α, i.e. e(t) is blocking

Requirement 1 guarantees soundness Requirements 2 and 3 guarantee termination The cooperation can be much more effjcient if DPT is integrated directly into the CDCL procedure of the SAT solver

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 33 / 42

Integration of a SAT solver and DPT (2)

Assume Deduction(̂ Th(α)) returns UNSAT and a formula t Formula t should satisfy the following requirements:

1 The formula t is T-valid 2 The atoms in t are restricted to those appearing in ϕ 3 The encoding of t contradicts α, i.e. e(t) is blocking

Requirement 1 guarantees soundness Requirements 2 and 3 guarantee termination The cooperation can be much more effjcient if DPT is integrated directly into the CDCL procedure of the SAT solver

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 33 / 42

Integration of a SAT solver and DPT (2)

Assume Deduction(̂ Th(α)) returns UNSAT and a formula t Formula t should satisfy the following requirements:

1 The formula t is T-valid 2 The atoms in t are restricted to those appearing in ϕ 3 The encoding of t contradicts α, i.e. e(t) is blocking

Requirement 1 guarantees soundness Requirements 2 and 3 guarantee termination The cooperation can be much more effjcient if DPT is integrated directly into the CDCL procedure of the SAT solver

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 33 / 42

Integration of a SAT solver and DPT (2)

Assume Deduction(̂ Th(α)) returns UNSAT and a formula t Formula t should satisfy the following requirements:

1 The formula t is T-valid 2 The atoms in t are restricted to those appearing in ϕ 3 The encoding of t contradicts α, i.e. e(t) is blocking

Requirement 1 guarantees soundness Requirements 2 and 3 guarantee termination The cooperation can be much more effjcient if DPT is integrated directly into the CDCL procedure of the SAT solver

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 33 / 42

Lazy-CDCL

Function Lazy-CDCL(ϕ) AddClauses(cnf(e(ϕ))) while true do while UnitPropagation() = CONFLICT do bl ← ConfmictAnalysis() if bl < 0 then return UNSAT Backtrack(bl) if Decide() fails then // Full satisfying assignment α found (t,r) ← Deduction(̂ Th(α)) if r = SAT then return SAT AddClauses(e(t))

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 34 / 42

Improving Lazy-CDLC

Do not wait until a full satisfying assignment is found Call Deduction(̂ Th(α)) on partial assignments α

1 theory-level confmicts are detected earlier and stronger lemmas are

returned to the SAT solver,

2 theory can deduce a value for some literals ⇒ theory propagation.

If Deduction(̂ Th(α)) does not detect contradiction, then t and e(t) are equivalent to true (e.g. empty conjunction)

Example

Suppose that ϕ contains atoms x ≥ 10 and x < 0 No satisfying assignment can satisfy both e(x ≥ 10) and e(x < 0) Given e(x ≥ 10), linear arithmetic can deduce that ¬e(x < 0)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 35 / 42

Improving Lazy-CDLC

Do not wait until a full satisfying assignment is found Call Deduction(̂ Th(α)) on partial assignments α

1 theory-level confmicts are detected earlier and stronger lemmas are

returned to the SAT solver,

2 theory can deduce a value for some literals ⇒ theory propagation.

If Deduction(̂ Th(α)) does not detect contradiction, then t and e(t) are equivalent to true (e.g. empty conjunction)

Example

Suppose that ϕ contains atoms x ≥ 10 and x < 0 No satisfying assignment can satisfy both e(x ≥ 10) and e(x < 0) Given e(x ≥ 10), linear arithmetic can deduce that ¬e(x < 0)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 35 / 42

Improving Lazy-CDLC

Do not wait until a full satisfying assignment is found Call Deduction(̂ Th(α)) on partial assignments α

1 theory-level confmicts are detected earlier and stronger lemmas are

returned to the SAT solver,

2 theory can deduce a value for some literals ⇒ theory propagation.

If Deduction(̂ Th(α)) does not detect contradiction, then t and e(t) are equivalent to true (e.g. empty conjunction)

Example

Suppose that ϕ contains atoms x ≥ 10 and x < 0 No satisfying assignment can satisfy both e(x ≥ 10) and e(x < 0) Given e(x ≥ 10), linear arithmetic can deduce that ¬e(x < 0)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 35 / 42

Improving Lazy-CDLC

Do not wait until a full satisfying assignment is found Call Deduction(̂ Th(α)) on partial assignments α

1 theory-level confmicts are detected earlier and stronger lemmas are

returned to the SAT solver,

2 theory can deduce a value for some literals ⇒ theory propagation.

If Deduction(̂ Th(α)) does not detect contradiction, then t and e(t) are equivalent to true (e.g. empty conjunction)

Example

Suppose that ϕ contains atoms x ≥ 10 and x < 0 No satisfying assignment can satisfy both e(x ≥ 10) and e(x < 0) Given e(x ≥ 10), linear arithmetic can deduce that ¬e(x < 0)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 35 / 42

Improving Lazy-CDLC

Do not wait until a full satisfying assignment is found Call Deduction(̂ Th(α)) on partial assignments α

1 theory-level confmicts are detected earlier and stronger lemmas are

returned to the SAT solver,

2 theory can deduce a value for some literals ⇒ theory propagation.

If Deduction(̂ Th(α)) does not detect contradiction, then t and e(t) are equivalent to true (e.g. empty conjunction)

Example

Suppose that ϕ contains atoms x ≥ 10 and x < 0 No satisfying assignment can satisfy both e(x ≥ 10) and e(x < 0) Given e(x ≥ 10), linear arithmetic can deduce that ¬e(x < 0)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 35 / 42

Improving Lazy-CDLC

Do not wait until a full satisfying assignment is found Call Deduction(̂ Th(α)) on partial assignments α

1 theory-level confmicts are detected earlier and stronger lemmas are

returned to the SAT solver,

2 theory can deduce a value for some literals ⇒ theory propagation.

If Deduction(̂ Th(α)) does not detect contradiction, then t and e(t) are equivalent to true (e.g. empty conjunction)

Example

Suppose that ϕ contains atoms x ≥ 10 and x < 0 No satisfying assignment can satisfy both e(x ≥ 10) and e(x < 0) Given e(x ≥ 10), linear arithmetic can deduce that ¬e(x < 0)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 35 / 42

Improving Lazy-CDLC

Do not wait until a full satisfying assignment is found Call Deduction(̂ Th(α)) on partial assignments α

1 theory-level confmicts are detected earlier and stronger lemmas are

returned to the SAT solver,

2 theory can deduce a value for some literals ⇒ theory propagation.

If Deduction(̂ Th(α)) does not detect contradiction, then t and e(t) are equivalent to true (e.g. empty conjunction)

Example

Suppose that ϕ contains atoms x ≥ 10 and x < 0 No satisfying assignment can satisfy both e(x ≥ 10) and e(x < 0) Given e(x ≥ 10), linear arithmetic can deduce that ¬e(x < 0)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 35 / 42

Algorithm DPLL(T)

Function DPLL(T)(ϕ)

AddClauses(cnf(e(ϕ))) α is a new partial assignment, updated during search while true do repeat while UnitPropagation() = CONFLICT do bl ← ConfmictAnalysis() if bl < 0 then return UNSAT Backtrack(bl) (t,r) ← Deduction(̂ Th(α)) AddClauses(e(t)) until t ≡ true if α is a full assignment then return SAT Decide()

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 36 / 42

DPLL(T) Components

Decide Backtrack Unit Propagation Confmict Analysis Deduction Add Clauses

SAT UNSAT

confmict α ̂ Th(α) t e(t) Theory propagation / confmict Nothing to propagate, no confmict α α all assigned bl < 0 bl ≥ 0

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 37 / 42

Exhaustive theory propagation

Propagate all literals implied by ̂ Th(α) in T In practice, usually too expensive and only simple, cheap propagations are performed

Example (Equality logic)

For each unassigned atom xi = xj If the current assignment forms a path from xi to xj using edges in E=, then xi = xj is implied If current assignment forms a path from xi to xj with exactly one edge from E≠, then ¬(xi = xj) is implied.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 38 / 42

Exhaustive theory propagation

Propagate all literals implied by ̂ Th(α) in T In practice, usually too expensive and only simple, cheap propagations are performed

Example (Equality logic)

For each unassigned atom xi = xj If the current assignment forms a path from xi to xj using edges in E=, then xi = xj is implied If current assignment forms a path from xi to xj with exactly one edge from E≠, then ¬(xi = xj) is implied.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 38 / 42

Exhaustive theory propagation

Propagate all literals implied by ̂ Th(α) in T In practice, usually too expensive and only simple, cheap propagations are performed

Example (Equality logic)

For each unassigned atom xi = xj If the current assignment forms a path from xi to xj using edges in E=, then xi = xj is implied If current assignment forms a path from xi to xj with exactly one edge from E≠, then ¬(xi = xj) is implied.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 38 / 42

Exhaustive theory propagation

Propagate all literals implied by ̂ Th(α) in T In practice, usually too expensive and only simple, cheap propagations are performed

Example (Equality logic)

For each unassigned atom xi = xj If the current assignment forms a path from xi to xj using edges in E=, then xi = xj is implied If current assignment forms a path from xi to xj with exactly one edge from E≠, then ¬(xi = xj) is implied.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 38 / 42

Exhaustive theory propagation

Propagate all literals implied by ̂ Th(α) in T In practice, usually too expensive and only simple, cheap propagations are performed

Example (Equality logic)

For each unassigned atom xi = xj If the current assignment forms a path from xi to xj using edges in E=, then xi = xj is implied If current assignment forms a path from xi to xj with exactly one edge from E≠, then ¬(xi = xj) is implied.

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 38 / 42

Blocking Clauses

Deduction(̂ Th(α)) returns blocking clause t If ̂ Th(α) implies a T-literal l, then t = (l ∨ ¬̂ Th(α)) e(t) = ⎛ ⎜ ⎝ e(l) ∨ ⋁

l′∈̂ Th(α)

¬e(l′) ⎞ ⎟ ⎠ The clause e(t) is used to derive e(l) by unit propagation and maybe never again

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 39 / 42

Blocking Clauses

Deduction(̂ Th(α)) returns blocking clause t If ̂ Th(α) implies a T-literal l, then t = (l ∨ ¬̂ Th(α)) e(t) = ⎛ ⎜ ⎝ e(l) ∨ ⋁

l′∈̂ Th(α)

¬e(l′) ⎞ ⎟ ⎠ The clause e(t) is used to derive e(l) by unit propagation and maybe never again

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 39 / 42

Blocking Clauses

Deduction(̂ Th(α)) returns blocking clause t If ̂ Th(α) implies a T-literal l, then t = (l ∨ ¬̂ Th(α)) e(t) = ⎛ ⎜ ⎝ e(l) ∨ ⋁

l′∈̂ Th(α)

¬e(l′) ⎞ ⎟ ⎠ The clause e(t) is used to derive e(l) by unit propagation and maybe never again

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 39 / 42

Implied Assignments Instead of Blocking Clauses

Let Deduction(̂ Th(α)) return all T-literals implied by α DPLL(T)() adds the implied literals to the partial assignment These literals do not have antecedent

If any of them is used in ConfmictAnalysis(), DPT is asked for an explanation Clause explaining why the literal was implied The explanation clauses are added lazily on demand, not immediately when a literal is implied

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 40 / 42

Implied Assignments Instead of Blocking Clauses

Let Deduction(̂ Th(α)) return all T-literals implied by α DPLL(T)() adds the implied literals to the partial assignment These literals do not have antecedent

If any of them is used in ConfmictAnalysis(), DPT is asked for an explanation Clause explaining why the literal was implied The explanation clauses are added lazily on demand, not immediately when a literal is implied

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 40 / 42

Implied Assignments Instead of Blocking Clauses

Let Deduction(̂ Th(α)) return all T-literals implied by α DPLL(T)() adds the implied literals to the partial assignment These literals do not have antecedent

If any of them is used in ConfmictAnalysis(), DPT is asked for an explanation Clause explaining why the literal was implied The explanation clauses are added lazily on demand, not immediately when a literal is implied

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 40 / 42

Implied Assignments Instead of Blocking Clauses

Let Deduction(̂ Th(α)) return all T-literals implied by α DPLL(T)() adds the implied literals to the partial assignment These literals do not have antecedent

If any of them is used in ConfmictAnalysis(), DPT is asked for an explanation Clause explaining why the literal was implied The explanation clauses are added lazily on demand, not immediately when a literal is implied

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 40 / 42

Implied Assignments Instead of Blocking Clauses

Let Deduction(̂ Th(α)) return all T-literals implied by α DPLL(T)() adds the implied literals to the partial assignment These literals do not have antecedent

If any of them is used in ConfmictAnalysis(), DPT is asked for an explanation Clause explaining why the literal was implied The explanation clauses are added lazily on demand, not immediately when a literal is implied

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 40 / 42

Implied Assignments Instead of Blocking Clauses

Let Deduction(̂ Th(α)) return all T-literals implied by α DPLL(T)() adds the implied literals to the partial assignment These literals do not have antecedent

If any of them is used in ConfmictAnalysis(), DPT is asked for an explanation Clause explaining why the literal was implied The explanation clauses are added lazily on demand, not immediately when a literal is implied

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 40 / 42

Generating strong lemmas

Deduction (̂ Th(α)) returns a lemma to block current assignment α (in case of confmict). Stronger lemmas block more assignments. Identify a minimal set of literals in α causing the confmict (unsatisfjable core).

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 41 / 42

Generating strong lemmas

Deduction (̂ Th(α)) returns a lemma to block current assignment α (in case of confmict). Stronger lemmas block more assignments. Identify a minimal set of literals in α causing the confmict (unsatisfjable core).

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 41 / 42

Generating strong lemmas

Deduction (̂ Th(α)) returns a lemma to block current assignment α (in case of confmict). Stronger lemmas block more assignments. Identify a minimal set of literals in α causing the confmict (unsatisfjable core).

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 41 / 42

Summary

Decision procedure for quantifjer-free theory can be obtained by a combination of a SAT solver and a decision procedure for the conjunctive fragment of the theory. More efgective if DPT

can generate strong explanations for confmict can derive values of yet unassigned literals (theory propagation) is incremental

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (6th lecture) 42 / 42