Solving Quantified Verification Conditions using Satisfiability Modulo Theories

Transcription

1 Solving Quantified Verification Conditions using Satisfiability Modulo Theories Yeting Ge, Clark Barrett, Cesare Tinelli Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.1/27

2 Motivation First order logic provides a convenient formalism for specifying verification conditions Verification conditions often involve arithmetic and other well-established theories Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.2/27

3 Motivation First order logic provides a convenient formalism for specifying verification conditions Verification conditions often involve arithmetic and other well-established theories Approaches to checking verification conditions in first order logic Pure first order Automated Theorem Proving (ATP) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.2/27

4 Motivation First order logic provides a convenient formalism for specifying verification conditions Verification conditions often involve arithmetic and other well-established theories Approaches to checking verification conditions in first order logic Pure first order Automated Theorem Proving (ATP) Good at reasoning about quantified formulas Not so good at theory reasoning Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.2/27

5 Motivation First order logic provides a convenient formalism for specifying verification conditions Verification conditions often involve arithmetic and other well-established theories Approaches to checking verification conditions in first order logic Pure first order Automated Theorem Proving (ATP) Good at reasoning about quantified formulas Not so good at theory reasoning Some useful theories are not finitely axiomatizable Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.2/27

6 Motivation First order logic provides a convenient formalism for specifying verification conditions Verification conditions often involve arithmetic and other well-established theories Approaches to checking verification conditions in first order logic Pure first order Automated Theorem Proving (ATP) Good at reasoning about quantified formulas Not so good at theory reasoning Some useful theories are not finitely axiomatizable Add ad-hoc axioms (Denney et al. IJCAR 2004) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.2/27

7 Motivation First order logic provides a convenient formalism for specifying verification conditions Verification conditions often involve arithmetic and other well-established theories Approaches to checking verification conditions in first order logic Pure first order Automated Theorem Proving (ATP) Good at reasoning about quantified formulas Not so good at theory reasoning Some useful theories are not finitely axiomatizable Add ad-hoc axioms (Denney et al. IJCAR 2004) Are there any alternatives? Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.2/27

8 Motivation Approaches to checking verification conditions in first order logic Automated theorem proving based on Satisfiability Modulo Theories (SMT) A SMT problem is to determine the satisfiability of some formula ϕ with respect to some fixed background theory T Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.3/27

9 Motivation Approaches to checking verification conditions in first order logic Automated theorem proving based on Satisfiability Modulo Theories (SMT) A SMT problem is to determine the satisfiability of some formula ϕ with respect to some fixed background theory T Is Select(Store(arr, i, a), i) a satisfiable? Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.3/27

10 Motivation Approaches to checking verification conditions in first order logic Automated theorem proving based on Satisfiability Modulo Theories (SMT) A SMT problem is to determine the satisfiability of some formula ϕ with respect to some fixed background theory T Is Select(Store(arr, i, a), i) a satisfiable? Many useful background (combined) theories T can be decided by efficient procedures Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.3/27

11 Motivation Approaches to checking verification conditions in first order logic Automated theorem proving based on Satisfiability Modulo Theories (SMT) A SMT problem is to determine the satisfiability of some formula ϕ with respect to some fixed background theory T Is Select(Store(arr, i, a), i) a satisfiable? Many useful background (combined) theories T can be decided by efficient procedures Good at theory reasoning Not so good at quantified formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.3/27

12 Motivation Approaches to checking verification conditions in first order logic Automated theorem proving based on Satisfiability Modulo Theories (SMT) A SMT problem is to determine the satisfiability of some formula ϕ with respect to some fixed background theory T Is Select(Store(arr, i, a), i) a satisfiable? Many useful background (combined) theories T can be decided by efficient procedures Good at theory reasoning Not so good at quantified formulas Exception: Simplify Instantiation based and incomplete Shown to work for practical problems Successful, but no longer supported Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.3/27

13 Outline Quantifier reasoning in SMT SMT solvers and Abstract DPLL Modulo Theories framework Triggers, matching and instantiation Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.4/27

14 Outline Quantifier reasoning in SMT SMT solvers and Abstract DPLL Modulo Theories framework Triggers, matching and instantiation Challenges Trigger selection Instantiation loops Eager and lazy instantiation Irrelevant axioms Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.4/27

15 Outline Quantifier reasoning in SMT SMT solvers and Abstract DPLL Modulo Theories framework Triggers, matching and instantiation Challenges Trigger selection Instantiation loops Eager and lazy instantiation Irrelevant axioms Experimental results Comparison of different heuristics (in CVC3) Comparison of SMT solvers Comparison of ATP and SMT solvers Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.4/27

16 Solver for SMT Modern SMT solvers (lazy) integrate a SAT solver and one or more theory solvers Abstraction SAT Theory Solver UF Arithmetic Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.5/27

17 SMT Example To prove (a = b) (f(a) = f(b)) is unsatisfiable Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.6/27

18 SMT Example To prove (a = b) (f(a) = f(b)) is unsatisfiable (a = b) (f(a) = f(b)) Abstraction SAT Solver Theory Solver Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.6/27

19 SMT Example To prove (a = b) (f(a) = f(b)) is unsatisfiable Abstraction (a = b) (f(a) = f(b)) b1 : f(a) = f(b) b2 : a = b SAT Solver Theory Solver Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.6/27

20 SMT Example To prove (a = b) (f(a) = f(b)) is unsatisfiable (a = b) (f(a) = f(b)) Abstraction b1 : f(a) = f(b) b2 : a = b SAT Solver b2 b1 Theory Solver Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.6/27

21 SMT Example To prove (a = b) (f(a) = f(b)) is unsatisfiable (a = b) (f(a) = f(b)) Abstraction b1 : f(a) = f(b) b2 : a = b SAT Solver b2 b1 {b1 = F b2 = T } Theory Solver Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.6/27

22 SMT Example To prove (a = b) (f(a) = f(b)) is unsatisfiable (a = b) (f(a) = f(b)) Abstraction b1 : f(a) = f(b) b2 : a = b SAT Solver b2 b1 {b1 = F b2 = T } Theory Solver f(a) f(b) a = b Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.6/27

23 SMT Example To prove (a = b) (f(a) = f(b)) is unsatisfiable (a = b) (f(a) = f(b)) Abstraction b1 : f(a) = f(b) b2 : a = b SAT Solver b2 b1 {b1 = F b2 = T } T-unsat Theory Solver f(a) f(b) a = b Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.6/27

24 SMT Example To prove (a = b) (f(a) = f(b)) is unsatisfiable (a = b) (f(a) = f(b)) Abstraction b1 : f(a) = f(b) b2 : a = b SAT Solver b2 b1 No more {b1 = F b2 = T } T-unsat Theory Solver f(a) f(b) a = b Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.6/27

25 SMT Example To prove (a = b) (f(a) = f(b)) is unsatisfiable (a = b) (f(a) = f(b)) Abstraction b1 : f(a) = f(b) b2 : a = b Unsat SAT Solver b2 b1 No more {b1 = F b2 = T } T-unsat Theory Solver f(a) f(b) a = b Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.6/27

26 Quantifier Example To prove P(3) x.(x > 1 P(x)) is unsatisfiable. Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.7/27

27 Quantifier Example To prove P(3) x.(x > 1 P(x)) is unsatisfiable. P(3) x.(x > 1 P(x)) Abstraction b1 : P(3) b2 : x.(x > 1 P(x)) SAT Solver Theory Solver Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.7/27

28 Quantifier Example To prove P(3) x.(x > 1 P(x)) is unsatisfiable. P(3) x.(x > 1 P(x)) Abstraction b1 : P(3) b2 : x.(x > 1 P(x)) SAT Solver b2 b1 {b1 = F b2 = T } Theory Solver P(3) x.(x > 1 P(x)) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.7/27

29 Quantifier Example To prove P(3) x.(x > 1 P(x)) is unsatisfiable. P(3) x.(x > 1 P(x)) Abstraction b1 : P(3) b2 : x.(x > 1 P(x)) SAT Solver b2 b1 {b1 = F b2 = T } Theory Solver P(3) x.(x > 1 P(x)) Instantiate x with 3 Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.7/27

30 Quantifier Example To prove P(3) x.(x > 1 P(x)) is unsatisfiable. P(3) x.(x > 1 P(x)) Abstraction b1 : P(3) b2 : x.(x > 1 P(x)) SAT Solver b2 b1 {b1 = F b2 = T } Theory Solver P(3) x.(x > 1 P(x)) Instantiate x with 3 3 > 1 P(3) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.7/27

31 Quantifier Example To prove P(3) x.(x > 1 P(x)) is unsatisfiable. P(3) x.(x > 1 P(x)) Abstraction b1 : P(3) b2 : x.(x > 1 P(x)) SAT Solver b2 b1 {b1 = F b2 = T } T-unsat Theory Solver P(3) x.(x > 1 P(x)) Instantiate x with 3 3 > 1 P(3) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.7/27

32 Quantifier Example To prove P(3) x.(x > 1 P(x)) is unsatisfiable. P(3) x.(x > 1 P(x)) Abstraction b1 : P(3) b2 : x.(x > 1 P(x)) SAT Solver b2 b1 No more {b1 = F b2 = T } T-unsat Theory Solver P(3) x.(x > 1 P(x)) Instantiate x with 3 3 > 1 P(3) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.7/27

33 Quantifier Example To prove P(3) x.(x > 1 P(x)) is unsatisfiable. P(3) x.(x > 1 P(x)) Abstraction b1 : P(3) b2 : x.(x > 1 P(x)) Unsat SAT Solver b2 b1 No more {b1 = F b2 = T } T-unsat Theory Solver P(3) x.(x > 1 P(x)) Instantiate x with 3 3 > 1 P(3) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.7/27

34 Abstract DPLL Modulo Theories Abstract DPLL Modulo Theories is a formalism for DPLL-based smt solvers Describes SMT solvers as transition systems (a set of states and transition rules) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.8/27

35 Abstract DPLL Modulo Theories Abstract DPLL Modulo Theories is a formalism for DPLL-based smt solvers Describes SMT solvers as transition systems (a set of states and transition rules) States: Fail M F (M is a set of literals assumed so far, F is a set of CNF clauses) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.8/27

36 Abstract DPLL Modulo Theories Abstract DPLL Modulo Theories is a formalism for DPLL-based smt solvers Describes SMT solvers as transition systems (a set of states and transition rules) States: Fail M F (M is a set of literals assumed so far, F is a set of CNF clauses) Final state: Fail M F (M is T satisfiable and M = F ) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.8/27

37 Abstract DPLL Modulo Theories Abstract DPLL Modulo Theories is a formalism for DPLL-based smt solvers Describes SMT solvers as transition systems (a set of states and transition rules) States: Fail M F (M is a set of literals assumed so far, F is a set of CNF clauses) Final state: Fail The goal: M F (M is T satisfiable and M = F ) From initial state F 0, derive a final state Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.8/27

38 Example of Transition Rules Unit propagation in SAT UnitPropagate : M F, C l = M l F, C l if M = C l is undefined in M Theory propagation T-Propagate : M F = M l F if M = T l l or l occurs in F l is undefined in M Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.9/27

39 Rules for Quantifier Instantiation An abstract literal is either a literal or a quantified formula ϕ[x/t] denotes the result of substituting t for all free occurrences of x in ϕ Only satisfiability is preserved Inst_ : M F = M F, ( ( x. P) P[x/sk]) if Inst_ : M F = M F, ( ( x. P) P[x/t]) if 8 < : 8 < : x. P is in M sk is a fresh constant. x. P is in M t is a ground term. Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.10/27

40 What to instantiate Suppose φ = x.p(f(x)) is asserted to be true Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.11/27

41 What to instantiate Suppose φ = x.p(f(x)) is asserted to be true Instantiate x with every ground term (naive instantiation) Too many instantiations Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.11/27

42 What to instantiate Suppose φ = x.p(f(x)) is asserted to be true Instantiate x with every ground term (naive instantiation) Too many instantiations Instantiate x with terms relevant to φ If some subterm of φ[x/t] appears in other asserted ground formulas, t is relevant to φ Similar to resolution Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.11/27

43 What to instantiate Suppose φ = x.p(f(x)) is asserted to be true Instantiate x with every ground term (naive instantiation) Too many instantiations Instantiate x with terms relevant to φ If some subterm of φ[x/t] appears in other asserted ground formulas, t is relevant to φ Similar to resolution How to find relevant terms? 1. Select a subterm of φ that contains x, say f(x) 2. If f(x) matches with a ground term that appears in other formulas, say f(a), a is relevant f(x) is called a trigger E unification Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.11/27

44 Challenges Given a set of quantified formulas and ground formulas 1. Select some subterms of a quantified formula as triggers 2. Match triggers with ground terms 3. Instantiate quantified formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.12/27

45 Challenges Given a set of quantified formulas and ground formulas 1. Select some subterms of a quantified formula as triggers 2. Match triggers with ground terms 3. Instantiate quantified formulas Challenges Triggers Matching (equalities, fast matching algorithm) Instantiation Instantiation loops Eager and lazy instantiation Irrelevant axioms Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.12/27

46 Triggers Trigger selection Triggers should contain all bound variables Triggers can have more bound variables than those quantified by outermost quantifiers (Simplify does not allow this) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.13/27

47 Triggers Trigger selection Triggers should contain all bound variables Triggers can have more bound variables than those quantified by outermost quantifiers (Simplify does not allow this) Sometimes no single subterm contains all bound variables Multi-triggers (as in Simplify) Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.13/27

48 Triggers Trigger selection Triggers should contain all bound variables Triggers can have more bound variables than those quantified by outermost quantifiers (Simplify does not allow this) Sometimes no single subterm contains all bound variables Multi-triggers (as in Simplify) Special trigger heuristics Transitivity Anti-symmetry Array index Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.13/27

49 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) 3. Loops due to several formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.14/27

50 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) f(x) is selected as trigger. Suppose f(3) appears somewhere. f(x) matches f(3) 3. Loops due to several formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.14/27

51 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) f(x) is selected as trigger. Suppose f(3) appears somewhere. f(x) matches f(3) y.f(3) f(y) = 2 3. Loops due to several formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.14/27

52 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) f(x) is selected as trigger. Suppose f(3) appears somewhere. f(x) matches f(3) y.f(3) f(y) = 2 f(3) f(sk1) = 2 3. Loops due to several formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.14/27

53 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) f(x) is selected as trigger. Suppose f(3) appears somewhere. f(x) matches f(3) y.f(3) f(y) = 2 f(3) f(sk1) = 2 f(x) matches f(sk1) 3. Loops due to several formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.14/27

54 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) f(x) is selected as trigger. Suppose f(3) appears somewhere. f(x) matches f(3) y.f(3) f(y) = 2 f(3) f(sk1) = 2 f(x) matches f(sk1) f(sk2) 3. Loops due to several formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.14/27

55 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) f(x) is selected as trigger. Suppose f(3) appears somewhere. f(x) matches f(3) y.f(3) f(y) = 2 f(3) f(sk1) = 2 f(x) matches f(sk1) f(sk2) Loops due to several formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.14/27

56 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) f(x) is selected as trigger. Suppose f(3) appears somewhere. f(x) matches f(3) y.f(3) f(y) = 2 f(3) f(sk1) = 2 f(x) matches f(sk1) f(sk2) Loops due to several formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.14/27

57 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) 3. Loops due to several formulas Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.15/27

58 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) 3. Loops due to several formulas Loops are not always bad Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.15/27

59 Instantiation Loops Instantiation could introduce loops 1. x.p(f(x),f(g(x))) (Simplify) 2. x.( y.f(x) f(y) = 2) 3. Loops due to several formulas Loops are not always bad We experimented two kinds of loop prevention mechanism Static loop test (as in Simplify) Dynamic loop detection Both are abandoned Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.15/27

60 Eager and lazy instantiation Eager instantiation Instantiate after boolean constraint propagation Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.16/27

61 Eager and lazy instantiation Eager instantiation Instantiate after boolean constraint propagation May find contradictions earlier May introduce useless clauses Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.16/27

62 Eager and lazy instantiation Eager instantiation Instantiate after boolean constraint propagation May find contradictions earlier May introduce useless clauses Lazy instantiation Instantiate when no more possible splits in SAT Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.16/27

63 Eager and lazy instantiation Eager instantiation Instantiate after boolean constraint propagation May find contradictions earlier May introduce useless clauses Lazy instantiation Instantiate when no more possible splits in SAT Instantiate only when necessary May be too late Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.16/27

64 Eager and lazy instantiation Eager instantiation Instantiate after boolean constraint propagation May find contradictions earlier May introduce useless clauses Lazy instantiation Instantiate when no more possible splits in SAT Instantiate only when necessary May be too late Is there a way to have a balance between lazy and eager instantiation? Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.16/27

65 Irrelevant axioms Verification conditions are often of the form Γ ϕ where ϕ is a formula and Γ is a large fixed T -satisfiable collection of (quantified) axioms Many formulas and ground terms in Γ are irrelevant to the proof of unsatisfiability of Γ ϕ Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.17/27

66 Irrelevant axioms Verification conditions are often of the form Γ ϕ where ϕ is a formula and Γ is a large fixed T -satisfiable collection of (quantified) axioms Many formulas and ground terms in Γ are irrelevant to the proof of unsatisfiability of Γ ϕ The solver may spend a lot of resources on irrelevant axioms Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.17/27

67 Irrelevant axioms Verification conditions are often of the form Γ ϕ where ϕ is a formula and Γ is a large fixed T -satisfiable collection of (quantified) axioms Many formulas and ground terms in Γ are irrelevant to the proof of unsatisfiability of Γ ϕ The solver may spend a lot of resources on irrelevant axioms It is difficult to determine whether axioms are relevant or not Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.17/27

68 Irrelevant axioms Verification conditions are often of the form Γ ϕ where ϕ is a formula and Γ is a large fixed T -satisfiable collection of (quantified) axioms Many formulas and ground terms in Γ are irrelevant to the proof of unsatisfiability of Γ ϕ The solver may spend a lot of resources on irrelevant axioms It is difficult to determine whether axioms are relevant or not How to prevent the solver from spending too many resources on irrelevant axioms? Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.17/27

69 Three birds, one stone: Instantiation level Definition of instantiation level IL(g) of ground term g All terms appearing in original problem have an instantiation level of 0 If ground term g matches some trigger of x.p and g has an instantiation level IL(g), then all new terms in P[x/t] (as well as new terms derived from them) have instantiation level of IL(g) + 1. Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.18/27

70 Three birds, one stone: Instantiation level Definition of instantiation level IL(g) of ground term g All terms appearing in original problem have an instantiation level of 0 If ground term g matches some trigger of x.p and g has an instantiation level IL(g), then all new terms in P[x/t] (as well as new terms derived from them) have instantiation level of IL(g) + 1. Only ground terms with an instantiation level less than an upper bound are used in matching Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.18/27

71 Three birds, one stone: Instantiation level Definition of instantiation level IL(g) of ground term g All terms appearing in original problem have an instantiation level of 0 If ground term g matches some trigger of x.p and g has an instantiation level IL(g), then all new terms in P[x/t] (as well as new terms derived from them) have instantiation level of IL(g) + 1. Only ground terms with an instantiation level less than an upper bound are used in matching The upper bound is increased if CVC3 runs out of ground terms Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.18/27

72 Three birds, one stone: Instantiation level Definition of instantiation level IL(g) of ground term g All terms appearing in original problem have an instantiation level of 0 If ground term g matches some trigger of x.p and g has an instantiation level IL(g), then all new terms in P[x/t] (as well as new terms derived from them) have instantiation level of IL(g) + 1. Only ground terms with an instantiation level less than an upper bound are used in matching The upper bound is increased if CVC3 runs out of ground terms Advantages of instantiation levels Neutralizes the harmful effect of instantiation loops Balances the eagerness of instantiations Avoids spending too many resources on irrelevant axioms Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.18/27

73 Experimental Results Test cases are from SMT LIB. AUFLIA/Burns 14 AUFLIA/misc 29 AUFLIA/piVC 42 AUFLIA/RicartAgrawala 14 AUFLIA/simplify 833 AUFLIRA/nasa AUFNIRA/nasa 1561 Only hard cases (5599) are selected AMD Opteron (64 bit), 1G memory, time limit 5 minutes Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.19/27

74 CVC3 with Different Heuristics eager without IL / lazy without IL / IL Category B-E B-L IL-E AUFLIA/Burns AUFLIA/misc AUFLIA/piVC AUFLIA/RicAgla AUFLIA/simplify AUFLIRA/nasa AUFNIRA/nasa Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.20/27

75 CVC3, Yices and Fx7 Yices, version of SMT competition 2006 Fx7, as of Nov 15, 2006 CVC3, version 1.1 fx7 yices CVC3 category #case #valid time #valid time #valid time AUFLIA/Burns AUFLIA/misc AUFLIA/piVC AUFLIA/RicAgla AUFLIA/simplify AUFLIRA/nasa AUFNIRA/nasa N/A N/A Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.21/27

76 SMT and ATP NASA cases Verification conditions of some NASA software Introduced by Denney et al. at IJCAR 2004 Claim: Modern ATPs are powerful enough for practical application in program certification T The first set generated, the hardest T, T prop (e.g. true P ===> true) T eval (e.g. succ(pred(x)) ===> x) T array T policy T array (ad-hoc simplification, the easiest) simplification of T, Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.22/27

77 CVC3, Simplify, SPASS, Vampire Simplify Still one of the best SMT solvers for quantifier reasoning that is publicly available Vampire, version 8.1 One of the best ATPs, won two categories of CASC competition in recent years SPASS, version 2.2 The best ATP in the IJCAR 2004 paper Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.23/27

78 CVC3, Simplify, SPASS, Vampire category #cases Vampire SPASS Simplify CVC3 T T, T prop T eval T array T policy T array total Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.24/27

79 CVC3, Simplify, SPASS, Vampire category Vampire SPASS Simplify CVC3 T T, T prop T eval T array T policy T array total Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.25/27

80 Related works SMT solvers [1] D. Detlefs, G. Nelson, and J. B. Saxe. Simplify: a theorem prover for program checking. J. ACM, 52(3): , [2] B. Dutertre and L. Moura. Yices. yices.csl.sri.com/ [3] M. Moskal. Fx7. nemerle.org/ malekith/smt/en.html SMT benchmarks [4] S. Ranise and C. Tinelli. The satisfiability modulo theories library (SMT-LIB) [5] E. Denney, B. Fischer, and J. Schumann. Using automated theorem provers to certify auto-generated aerospace software. In D. A. Basin and M. Rusinowitch, editors, IJCAR, volume 3097 of Lecture Notes in Computer Science, pages Springer, DPLL(T) [6] H. Ganzinger, G. Hagen, R. Knowings, A. Oliveras, and C. Tinelli. DPLL(T): Fast decision procedures. In R. Alur and D. Peled, editors, Proceedings of the 16th International Conference on Computer Aided Verification, CAV 04 (Boston, Massachusetts), volume 3114 of LUCKS, pages Springer, 2004 Ṡolving Quantified Verification Conditions using Satisfiability Modulo Theories p.26/27

81 Summary Instantiation level heuristic meets several challenges in quantifier reasoning For certain kinds of verification conditions, SMT solvers may be a better choice Future work Efficient multi-trigger matching with equalities Techniques from ATP Solving Quantified Verification Conditions using Satisfiability Modulo Theories p.27/27