An Introduction to Satisfiability Modulo Theories

Size: px

Start display at page:

Download "An Introduction to Satisfiability Modulo Theories"

Chrystal Clarke
5 years ago
Views:

1 ICCAD 2009 Tutorial p. 1/78 An Introduction to Satisfiability Modulo Theories Clark Barrett and Sanjit Seshia

2 ICCAD 2009 Tutorial p. 2/78 Roadmap Theory Solvers Examples of Theory Solvers Combining Theory Solvers Extending Theory Solvers for SMT

3 ICCAD 2009 Tutorial p. /78 Theory Solvers Given a theory T, a Theory Solver for T takes as input a set Φ of literals and determines whether Φ is T -satisfiable. Φ is T -satisfiable iff there is some model M of T such that each formula in Φ holds in M. We next consider some examples of theory solvers.

4 ICCAD 2009 Tutorial p. 4/78 Congruence Closure and QF _UF Recall that QF _UF is the theory with only equality and uninterpreted function symbols. If Γ is a set of equalities and is a set of disequalities, then the satisfiability of Γ in QF _UF can be determined as follows [NO80, DST80]: Let τ be the set of terms appearing in Γ. Let be the equiavlence relation on τ induced by Γ (i.e. t 1 t 2 iff t 1 = t 2 Γ or t 2 = t 1 Γ). Let be the congruence closure of, obtained by closing with respect to the congruence property: s = t f(s) = f(t). Γ is satisfiable iff for each s t, s t.

5 ICCAD 2009 Tutorial p. 5/78 A Solver for QF _UF union and find are abstract operations for manipulating equivalence classes. union(x, y) makes y the new equivalence class representative for x. find(x) returns the unique representative for the equivalence class containing x. The signature of a term is defined as: sig(f(x 1,...,x n )) = f(find(x 1 ),...,find(x n )).

6 ICCAD 2009 Tutorial p. 6/78 A Solver for QF _UF CC(Γ, ) while Γ Remove some equality a = b from Γ; Merge(find(a), find(b)); if find(a) = find(b) for some a b then return False; return True; Merge(a, b) if a = b then return; Let A be the set of terms containing a as an argument union(a, b); foreach x A if sig(x) = sig(y) for some y then Merge(find(x), find(y));

7 ICCAD 2009 Tutorial p. 7/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) f(a) f(a) f(f(a)) f(f(a)) f(f(a)) f(f(f(a))) f(f(f(a))) f(f(f(a))) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

8 ICCAD 2009 Tutorial p. 8/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) f(a) f(a) f(f(a)) f(f(a)) f(f(a)) f(f(f(a))) f(f(f(a))) f(f(f(a))) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

9 ICCAD 2009 Tutorial p. 9/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) f(a) f(a) f(f(a)) a f(f(a)) f(f(f(a))) f(f(f(a))) f(f(f(a))) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

10 ICCAD 2009 Tutorial p. 10/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) f(a) f(a) f(f(a)) a f(f(a)) f(f(f(a))) f(f(f(a))) f(f(f(a))) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

11 ICCAD 2009 Tutorial p. 11/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) f(a) f(a) f(f(a)) a f(f(a)) f(f(f(a))) f(f(f(a))) f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

12 ICCAD 2009 Tutorial p. 12/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) f(a) f(a) f(f(a)) a f(f(a)) f(f(f(a))) f(f(f(a))) f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

13 ICCAD 2009 Tutorial p. 1/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) f(a) f(a) f(f(a)) a f(f(a)) f(f(f(a))) f(a) f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

14 ICCAD 2009 Tutorial p. 14/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) f(a) f(a) f(f(a)) a f(f(a)) f(f(f(a))) f(a) f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

15 ICCAD 2009 Tutorial p. 15/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) f(a) f(a) f(f(a)) a f(f(a)) f(f(f(a))) f(a) f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

16 ICCAD 2009 Tutorial p. 16/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) a f(a) f(f(a)) a f(f(a)) f(f(f(a))) a f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

17 ICCAD 2009 Tutorial p. 17/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) a f(a) f(f(a)) a f(f(a)) f(f(f(a))) a f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(f(a),b)

18 ICCAD 2009 Tutorial p. 18/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) a f(a) f(f(a)) a f(a) f(f(f(a))) a f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(a,b)

19 ICCAD 2009 Tutorial p. 19/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) a f(a) f(f(a)) a f(a) f(f(f(a))) a f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a),b) g(f(a),b) g(a,b)

20 ICCAD 2009 Tutorial p. 20/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) a f(a) f(f(a)) a f(a) f(f(f(a))) a f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a), b) g(a, b) g(a, b)

21 ICCAD 2009 Tutorial p. 21/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) a f(a) f(f(a)) a f(a) f(f(f(a))) a f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a), b) g(a, b) g(a, b)

22 ICCAD 2009 Tutorial p. 22/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) a f(a) f(f(a)) a f(a) f(f(f(a))) a f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a), b) g(a, b) g(a, b)

23 ICCAD 2009 Tutorial p. 2/78 Example f(f(a)) = a f(f(f(a))) = a g(a,b) g(f(a),b) t find(t) sig(t) a a a f(a) a f(a) f(f(a)) a f(a) f(f(f(a))) a f(a) b b b g(a, b) g(a, b) g(a, b) g(f(a), b) g(a, b) g(a, b) find(g(a, b)) = find(g(f(a), b)) Unsatisfiable

24 ICCAD 2009 Tutorial p. 24/78 Difference Logic In difference logic [NO05], we are interested in the satisfiability of a conjunction of arithmetic atoms. Each atom is of the form x y c, where x and y are variables, c is a numeric constant, and {=,<,,>, }. The variables can range over either the integers (QF _IDL) or the reals (QF _RDL).

25 ICCAD 2009 Tutorial p. 25/78 Difference Logic The first step is to rewrite everything in terms of :

26 ICCAD 2009 Tutorial p. 25/78 Difference Logic The first step is to rewrite everything in terms of : x y = c = x y c x y c

27 ICCAD 2009 Tutorial p. 25/78 Difference Logic The first step is to rewrite everything in terms of : x y = c = x y c x y c x y c = y x c

28 ICCAD 2009 Tutorial p. 25/78 Difference Logic The first step is to rewrite everything in terms of : x y = c = x y c x y c x y c = y x c x y > c = y x < c

29 ICCAD 2009 Tutorial p. 25/78 Difference Logic The first step is to rewrite everything in terms of : x y = c = x y c x y c x y c = y x c x y > c = y x < c x y < c = x y c 1 (integers)

30 ICCAD 2009 Tutorial p. 25/78 Difference Logic The first step is to rewrite everything in terms of : x y = c = x y c x y c x y c = y x c x y > c = y x < c x y < c = x y c 1 (integers) x y < c = x y c δ (reals)

31 ICCAD 2009 Tutorial p. 26/78 Difference Logic Now we have a conjunction of literals, all of the form x y c. From these literals, we form a weighted directed graph with a vertex for each variable. For each literal x y c, there is an edge x c y. The set of literals is satisfiable iff there is no cycle for which the sum of the weights on the edges is negative. There are a number of efficient algorithms for detecting negative cycles in graphs [CG96].

32 ICCAD 2009 Tutorial p. 27/78 Example: QF _IDL x y = 5 z y 2 z x > 2 w x = 2 z w < 0

33 ICCAD 2009 Tutorial p. 27/78 Example: QF _IDL x y = 5 z y 2 z x > 2 w x = 2 z w < 0 x y = 5 z y 2 z x > 2 w x = 2 z w < 0 w x 2 x w 2

34 ICCAD 2009 Tutorial p. 28/78 Example: QF _IDL x y = 5 z y 2 z x > 2 w x = 2 z w < 0 x y = 5 z y 2 z x > 2 w x = 2 z w < 0 w x 2 x w 2

35 ICCAD 2009 Tutorial p. 29/78 Example: QF _IDL x y = 5 z y 2 z x > 2 w x = 2 z w < 0 x y = 5 x y 5 y x 5 z y 2 y z 2 z x > 2 x z w x = 2 w x 2 x w 2 z w < 0 z w 1

36 ICCAD 2009 Tutorial p. 0/78 Example: QF _IDL y x z w

37 ICCAD 2009 Tutorial p. 1/78 Roadmap Theory Solvers Examples of Theory Solvers Combining Theory Solvers Extending Theory Solvers for SMT

38 ICCAD 2009 Tutorial p. 2/78 Combining Theory Solvers Theory solvers become much more useful if they can be used together. mux_sel = 0 mux_out = select(regfile,addr) mux_sel = 1 mux_out = ALU(alu0,alu1) For such formulas, we are interested in satisfiability with respect to a combination of theories. Fortunately, there exist methods for combining theory solvers. The standard technique for this is the Nelson-Oppen method [NO79, TH96].

39 ICCAD 2009 Tutorial p. /78 The Nelson-Oppen Method The Nelson-Oppen method is applicable when: 1. The theories have no shared symbols (other than equality). 2. The theories are stably-infinite. A theory T is stably-infinite if every T -satisfiable quantifier-free formula is satisfiable in an infinite model.. The formulas to be tested for satisfiability are quantifier-free Many theories fit these criteria, and extensions exist in some cases when they do not.

40 ICCAD 2009 Tutorial p. 4/78 The Nelson-Oppen Method Suppose that T 1 and T 2 are theories and that Sat 1 is a theory solver for T 1 -satisfiability and Sat 2 for T 1 -satisfiability. We wish to determine if φ is T 1 T 2 -satisfiable. 1. Convert φ to its separate form φ 1 φ Let S be the set of variables shared between φ 1 and φ 2.. For each arrangement of S: (a) Run Sat 1 on φ 1. (b) Run Sat 2 on φ 2.

41 ICCAD 2009 Tutorial p. 5/78 The Nelson-Oppen Method If there exists an arrangement such that both Sat 1 and Sat 2 succeed, then φ is T 1 T 2 -satisfiable. If no such arrangement exists, then φ is T 1 T 2 -unsatisfiable.

42 ICCAD 2009 Tutorial p. 6/78 Example Consider the following QF _U F LIA formula: φ = 1 x x 2 f(x) f(1) f(x) f(2).

43 ICCAD 2009 Tutorial p. 6/78 Example Consider the following QF _U F LIA formula: φ = 1 x x 2 f(x) f(1) f(x) f(2). We first convert φ to a separate form: φ UF = f(x) f(y) f(x) f(z) φ LIA = 1 x x 2 y = 1 z = 2 The shared variables are {x,y,z}. There are 5 possible arrangements based on equivalence classes of x, y, and z.

44 ICCAD 2009 Tutorial p. 7/78 Example φ UF = f(x) f(y) f(x) f(z) φ LIA = 1 x x 2 y = 1 z = 2 1. {x = y,x = z,y = z} 2. {x = y,x z,y z}. {x y,x = z,y z} 4. {x y,x z,y = z} 5. {x y,x z,y z}

45 ICCAD 2009 Tutorial p. 7/78 Example φ UF = f(x) f(y) f(x) f(z) φ LIA = 1 x x 2 y = 1 z = 2 1. {x = y,x = z,y = z}: inconsistent with φ UF. 2. {x = y,x z,y z}. {x y,x = z,y z} 4. {x y,x z,y = z} 5. {x y,x z,y z}

46 ICCAD 2009 Tutorial p. 7/78 Example φ UF = f(x) f(y) f(x) f(z) φ LIA = 1 x x 2 y = 1 z = 2 1. {x = y,x = z,y = z}: inconsistent with φ UF. 2. {x = y,x z,y z}: inconsistent with φ UF.. {x y,x = z,y z} 4. {x y,x z,y = z} 5. {x y,x z,y z}

47 ICCAD 2009 Tutorial p. 7/78 Example φ UF = f(x) f(y) f(x) f(z) φ LIA = 1 x x 2 y = 1 z = 2 1. {x = y,x = z,y = z}: inconsistent with φ UF. 2. {x = y,x z,y z}: inconsistent with φ UF.. {x y,x = z,y z}: inconsistent with φ UF. 4. {x y,x z,y = z} 5. {x y,x z,y z}

48 ICCAD 2009 Tutorial p. 7/78 Example φ UF = f(x) f(y) f(x) f(z) φ LIA = 1 x x 2 y = 1 z = 2 1. {x = y,x = z,y = z}: inconsistent with φ UF. 2. {x = y,x z,y z}: inconsistent with φ UF.. {x y,x = z,y z}: inconsistent with φ UF. 4. {x y,x z,y = z}: inconsistent with φ LIA. 5. {x y,x z,y z}

49 ICCAD 2009 Tutorial p. 7/78 Example φ UF = f(x) f(y) f(x) f(z) φ LIA = 1 x x 2 y = 1 z = 2 1. {x = y,x = z,y = z}: inconsistent with φ UF. 2. {x = y,x z,y z}: inconsistent with φ UF.. {x y,x = z,y z}: inconsistent with φ UF. 4. {x y,x z,y = z}: inconsistent with φ LIA. 5. {x y,x z,y z}: inconsistent with φ LIA.

50 ICCAD 2009 Tutorial p. 7/78 Example φ UF = f(x) f(y) f(x) f(z) φ LIA = 1 x x 2 y = 1 z = 2 1. {x = y,x = z,y = z}: inconsistent with φ UF. 2. {x = y,x z,y z}: inconsistent with φ UF.. {x y,x = z,y z}: inconsistent with φ UF. 4. {x y,x z,y = z}: inconsistent with φ LIA. 5. {x y,x z,y z}: inconsistent with φ LIA. Therefore, φ is unsatisfiable.

51 ICCAD 2009 Tutorial p. 8/78 Roadmap Theory Solvers Examples of Theory Solvers Combining Theory Solvers Extending Theory Solvers for SMT

52 ICCAD 2009 Tutorial p. 9/78 Desirable Characteristics of Theory Solvers Theory solvers must be able to determine whether a conjunction of literals is satisfiable. However, in order to integrate a theory solver into a modern SMT solver, it is helpful if the theory solvers can do more.

53 ICCAD 2009 Tutorial p. 40/78 Desirable Characteristics of Theory Solvers Some desirable characterstics of theory solvers include: Incrementality - easy to add new literals or backtrack to a previous state Layered/Lazy - able to detect simple inconsistencies quickly, able to detect difficult inconsistencies eventually Equality Propagating - If theory solvers can detect when two terms are equivalent, this greatly simplifies the search for a satisfying arrangement

54 ICCAD 2009 Tutorial p. 41/78 Desirable Characteristics of Theory Solvers Some desirable characterstics of theory solvers include: Model Generating - When reporting satisfiable, the theory solver also provides a concrete value for each variable or function symbol Proof Generating - When reporting unsatisfiable, the theory solver also provides a checkable proof Interpolant Generating - If φ ψ is unsatisfiable, find a formula α containing only symbols appearing in both φ and ψ such that: φ α is unsatisfiable α ψ is unsatisfiable

55 ICCAD 2009 Tutorial p. 42/78 Lazy SMT Theory solvers check the satisfiability of conjunctions of literals. What about more general Boolean structure? What is needed is a combination of Boolean reasoning and theory reasoning. The eager approach to SMT does this by encoding theory reasoning as a Boolean satisfiability problem. Here, I will focus on the lazy approach in which both a Boolean engine and a theory solver work together to solve the problem [dmrs02, BDS02a].

56 ICCAD 2009 Tutorial p. 4/78 Roadmap From SAT to SMT Abstract DPLL Abstract DPLL Modulo Theories Key Optimizations Quantifier Instantiation

57 ICCAD 2009 Tutorial p. 44/78 Abstract DPLL We start with an abstract description of DPLL, the algorithm used by most SAT solvers [NOT06].

58 ICCAD 2009 Tutorial p. 44/78 Abstract DPLL We start with an abstract description of DPLL, the algorithm used by most SAT solvers [NOT06]. Abstract DPLL uses states and transitions to model the progress of the algorithm.

59 ICCAD 2009 Tutorial p. 44/78 Abstract DPLL We start with an abstract description of DPLL, the algorithm used by most SAT solvers [NOT06]. Abstract DPLL uses states and transitions to model the progress of the algorithm. Most states are of the form M F, where M is a sequence of annotated literals denoting a partial truth assignment, and F is the CNF formula being checked, represented as a set of clauses.

60 ICCAD 2009 Tutorial p. 44/78 Abstract DPLL We start with an abstract description of DPLL, the algorithm used by most SAT solvers [NOT06]. Abstract DPLL uses states and transitions to model the progress of the algorithm. Most states are of the form M F, where M is a sequence of annotated literals denoting a partial truth assignment, and F is the CNF formula being checked, represented as a set of clauses. The initial state is F, where F is to be checked for satisfiability.

61 ICCAD 2009 Tutorial p. 44/78 Abstract DPLL We start with an abstract description of DPLL, the algorithm used by most SAT solvers [NOT06]. Abstract DPLL uses states and transitions to model the progress of the algorithm. Most states are of the form M F, where M is a sequence of annotated literals denoting a partial truth assignment, and F is the CNF formula being checked, represented as a set of clauses. The initial state is F, where F is to be checked for satisfiability. Transitions between states are defined by a set of conditional transition rules.

62 ICCAD 2009 Tutorial p. 45/78 Abstract DPLL The final state is either: a special fail state: fail, if F is unsatisfiable, or M G, where G is a CNF formula equisatisfiable with the original formula F, with M = G We write M = C to mean that C is satisfied whenever M is satisfied. Or in other words, C is a propositional consequence of the conjunction of the literals in M.

63 ICCAD 2009 Tutorial p. 46/78 Abstract DPLL Rules UnitProp : M F, C l = M l F, C l if PureLiteral : M F = M l F if Decide : M F = M l d F if Backtrack : Fail : M l d N F, C = M l F, C if M F, C = fail if 8 < : 8 >< >: 8 < : 8 < : 8 < : M = C l is undefined in M l occurs in some clause of F l occurs in no clause of F l is undefined in M l or l occurs in a clause of F l is undefined in M M l d N = C N contains no decision literals M = C M contains no decision literals

64 ICCAD 2009 Tutorial p. 47/78 Example 1 2, 1 2, 2, 2, 1 4 = (PureLiteral) 4 1 d 2

65 ICCAD 2009 Tutorial p. 48/78 Example 1 2, 1 2, 2, 2, 1 4 = (PureLiteral) 4 1 2, 1 2, 2, 2, d 2

66 ICCAD 2009 Tutorial p. 49/78 Example 1 2, 1 2, 2, 2, 1 4 = (PureLiteral) 4 1 2, 1 2, 2, 2, 1 4 = (Decide) 4 1 d 1 2, 1 2, 2, 2, d 2

67 ICCAD 2009 Tutorial p. 50/78 Example 1 2, 1 2, 2, 2, 1 4 = (PureLiteral) 4 1 2, 1 2, 2, 2, 1 4 = (Decide) 4 1 d 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, d 2

68 ICCAD 2009 Tutorial p. 51/78 Example 1 2, 1 2, 2, 2, 1 4 = (PureLiteral) 4 1 2, 1 2, 2, 2, 1 4 = (Decide) 4 1 d 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, 1 4

69 ICCAD 2009 Tutorial p. 52/78 Example 1 2, 1 2, 2, 2, 1 4 = (PureLiteral) 4 1 2, 1 2, 2, 2, 1 4 = (Decide) 4 1 d 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, 1 4 = (Backtrack) , 1 2, 2, 2, 1 4

70 ICCAD 2009 Tutorial p. 5/78 Example 1 2, 1 2, 2, 2, 1 4 = (PureLiteral) 4 1 2, 1 2, 2, 2, 1 4 = (Decide) 4 1 d 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, 1 4 = (Backtrack) , 1 2, 2, 2, 1 4 = (UnitProp) , 1 2, 2, 2, 1 4

71 ICCAD 2009 Tutorial p. 54/78 Example 1 2, 1 2, 2, 2, 1 4 = (PureLiteral) 4 1 2, 1 2, 2, 2, 1 4 = (Decide) 4 1 d 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, 1 4 = (Backtrack) , 1 2, 2, 2, 1 4 = (UnitProp) , 1 2, 2, 2, 1 4 = (Fail) fail

72 ICCAD 2009 Tutorial p. 54/78 Example 1 2, 1 2, 2, 2, 1 4 = (PureLiteral) 4 1 2, 1 2, 2, 2, 1 4 = (Decide) 4 1 d 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, 1 4 = (UnitProp) 4 1 d 2 1 2, 1 2, 2, 2, 1 4 = (Backtrack) , 1 2, 2, 2, 1 4 = (UnitProp) , 1 2, 2, 2, 1 4 = (Fail) fail Result: Unsatisfiable

73 ICCAD 2009 Tutorial p. 55/78 Additional Abstract DPLL Rules Backjump : M l d N F, C = M l F, C if Learn : M F = M F, C if Forget : M F, C = M F if 8 >< >: 8 < : n M l d N = C, and there is some clause C l such that: F, C = C l and M = C, l is undefined in M, and l or l occurs in F or in M l d N all atoms of C occur in F F = C F = C Restart : M F = F

74 ICCAD 2009 Tutorial p. 56/78 Roadmap From SAT to SMT Abstract DPLL Abstract DPLL Modulo Theories Key Optimizations Quantifier Instantiation

75 ICCAD 2009 Tutorial p. 57/78 Abstract DPLL Modulo Theories The Abstract DPLL Modulo Theories framework extends the Abstract DPLL framework to include theory reasoning [NOT06]. Assume we have a theory T and a solver Sat T that can check satisfiability of conjunctions of literals in T. Suppose we want to check the T -satisfiability of an arbitrary (quantifier-free) formula φ. We start by converting φ to CNF. We can then use the Abstract DPLL rules, allowing any first-order literal where before we had propositional literals.

76 ICCAD 2009 Tutorial p. 57/78 Abstract DPLL Modulo Theories The Abstract DPLL Modulo Theories framework extends the Abstract DPLL framework to include theory reasoning [NOT06]. Assume we have a theory T and a solver Sat T that can check satisfiability of conjunctions of literals in T. Suppose we want to check the T -satisfiability of an arbitrary (quantifier-free) formula φ. We start by converting φ to CNF. What other changes do we need to make to Abstract DPLL so it will work for SMT?

77 ICCAD 2009 Tutorial p. 58/78 Abstract DPLL Modulo Theories The first change is to the definition of a final state. A final state is now: the special fail state: fail, or M F, where M = F, and Sat T (M) reports satisfiable.

78 ICCAD 2009 Tutorial p. 58/78 Abstract DPLL Modulo Theories The first change is to the definition of a final state. A final state is now: the special fail state: fail, or M F, where M = F, and Sat T (M) reports satisfiable. What happens if we reach a state in which: M F, M = F, and Sat T (M) reports unsatisfiable? (call this a pseudo-final state)

79 ICCAD 2009 Tutorial p. 58/78 Abstract DPLL Modulo Theories The first change is to the definition of a final state. A final state is now: the special fail state: fail, or M F, where M = F, and Sat T (M) reports satisfiable. What happens if we reach a state in which: M F, M = F, and Sat T (M) reports unsatisfiable? (call this a pseudo-final state) We need to backtrack. The DPLL rules will take care of this automatically if we add a clause C such that M = C.

80 ICCAD 2009 Tutorial p. 58/78 Abstract DPLL Modulo Theories The first change is to the definition of a final state. A final state is now: the special fail state: fail, or M F, where M = F, and Sat T (M) reports satisfiable. What happens if we reach a state in which: M F, M = F, and Sat T (M) reports unsatisfiable? (call this a pseudo-final state) We need to backtrack. The DPLL rules will take care of this automatically if we add a clause C such that M = C. What clause should we add?

81 ICCAD 2009 Tutorial p. 58/78 Abstract DPLL Modulo Theories The first change is to the definition of a final state. A final state is now: the special fail state: fail, or M F, where M = F, and Sat T (M) reports satisfiable. What happens if we reach a state in which: M F, M = F, and Sat T (M) reports unsatisfiable? (call this a pseudo-final state) We need to backtrack. The DPLL rules will take care of this automatically if we add a clause C such that M = C. What clause should we add? How about M?

82 ICCAD 2009 Tutorial p. 59/78 Abstract DPLL Modulo Theories The justification for adding M is that = T M. Note that Γ = T φ denotes that φ holds whenever both Γ and T are satisfied. We can generalize this to allow any clause C to be added as long as F = T C. The following modified Learn rule allows this (we also modify the Forget rule in an analagous way): Theory Learn : M F = M F, C if Theory Forget : M F, C = M F if 8 < : n all atoms of C occur in F F = T C F = T C

83 ICCAD 2009 Tutorial p. 60/78 Abstract DPLL Modulo Theories The resulting set of rules is almost enough to correctly implement an SMT solver. We need one more change.

84 ICCAD 2009 Tutorial p. 60/78 Abstract DPLL Modulo Theories The resulting set of rules is almost enough to correctly implement an SMT solver. We need one more change. A somewhat surprising observation is that the pure literal rule has to be abandoned. Why?

85 ICCAD 2009 Tutorial p. 60/78 Abstract DPLL Modulo Theories The resulting set of rules is almost enough to correctly implement an SMT solver. We need one more change. A somewhat surprising observation is that the pure literal rule has to be abandoned. Why? Propositional literals are independent of each other, but first order literals may not be.

86 ICCAD 2009 Tutorial p. 60/78 Abstract DPLL Modulo Theories The resulting set of rules is almost enough to correctly implement an SMT solver. We need one more change. A somewhat surprising observation is that the pure literal rule has to be abandoned. Why? Propositional literals are independent of each other, but first order literals may not be. The remaining rules form a sound and complete procedure for SMT.

87 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4

88 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4

89 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4

90 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4

91 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, 1 2 4

92 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, = (Backjump) 1 2 d 4 1, 2, 4, 1 2 4

93 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, = (Backjump) 1 2 d 4 1, 2, 4, = (UnitProp) 1 2 d 4 1, 2, 4, 1 2 4

94 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, = (Backjump) 1 2 d 4 1, 2, 4, = (UnitProp) 1 2 d 4 1, 2, 4, = (Theory Learn) 1 2 d 4 1, 2, 4, 1 2 4, 1 2 4

95 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, = (Backjump) 1 2 d 4 1, 2, 4, = (UnitProp) 1 2 d 4 1, 2, 4, = (Theory Learn) 1 2 d 4 1, 2, 4, 1 2 4, = (Backjump) 1 2 1, 2, 4, 1 2 4, 1 2 4

96 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, = (Backjump) 1 2 d 4 1, 2, 4, = (UnitProp) 1 2 d 4 1, 2, 4, = (Theory Learn) 1 2 d 4 1, 2, 4, 1 2 4, = (Backjump) 1 2 1, 2, 4, 1 2 4, = (UnitProp) , 2, 4, 1 2 4, 1 2 4

97 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, = (Backjump) 1 2 d 4 1, 2, 4, = (UnitProp) 1 2 d 4 1, 2, 4, = (Theory Learn) 1 2 d 4 1, 2, 4, 1 2 4, = (Backjump) 1 2 1, 2, 4, 1 2 4, = (UnitProp) , 2, 4, 1 2 4, = (Theory Learn) , 2, 4, 1 2 4, 1 2 4, 1 2 4

98 ICCAD 2009 Tutorial p. 61/78 Example of Lazy SMT g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, = (Backjump) 1 2 d 4 1, 2, 4, = (UnitProp) 1 2 d 4 1, 2, 4, = (Theory Learn) 1 2 d 4 1, 2, 4, 1 2 4, = (Backjump) 1 2 1, 2, 4, 1 2 4, = (UnitProp) , 2, 4, 1 2 4, = (Theory Learn) , 2, 4, 1 2 4, 1 2 4, = (Fail) fail

99 ICCAD 2009 Tutorial p. 62/78 Roadmap From SAT to SMT Abstract DPLL Abstract DPLL Modulo Theories Key Optimizations Quantifier Instantiation

100 ICCAD 2009 Tutorial p. 6/78 Key Optimizations We will mention three ways to improve the algorithm. Minimizing learned clauses Early conflict detection Theory propagation

101 ICCAD 2009 Tutorial p. 64/78 Minimizing Learned Clauses The main problem with the approach as described so far is that learning M in every pseudo-final state is very inefficient. To see why, recall that a pseudo-final state is: M F, where M = F, and Sat T (M) = False Note that M is a sequence of literals and could be quite large. However, it is often the case that a small subset of M is sufficient to cause an inconsistency in T.

102 ICCAD 2009 Tutorial p. 65/78 Minimizing Learned Clauses To solve the problem, whenever Sat T (M) is called, an effort must be made to find the smallest possible subset of M which is inconsistent. There are several methods: Brute-force minimization (typically too slow) Traverse a proof tree for each inconsistency (similar to traversing an implication graph in SAT solvers) Ad hoc per-theory techniques

103 ICCAD 2009 Tutorial p. 66/78 Example with Minimized Learned Clauses g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4

104 ICCAD 2009 Tutorial p. 66/78 Example with Minimized Learned Clauses g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4

105 ICCAD 2009 Tutorial p. 66/78 Example with Minimized Learned Clauses g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4

106 ICCAD 2009 Tutorial p. 66/78 Example with Minimized Learned Clauses g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4

107 ICCAD 2009 Tutorial p. 66/78 Example with Minimized Learned Clauses g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, 1 2

108 ICCAD 2009 Tutorial p. 66/78 Example with Minimized Learned Clauses g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, 1 2 = (Backjump) 1 2 1, 2, 4, 1 2

109 ICCAD 2009 Tutorial p. 66/78 Example with Minimized Learned Clauses g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, 1 2 = (Backjump) 1 2 1, 2, 4, 1 2 = (UnitProp) , 2, 4, 1 2

110 ICCAD 2009 Tutorial p. 66/78 Example with Minimized Learned Clauses g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, 1 2 = (Backjump) 1 2 1, 2, 4, 1 2 = (UnitProp) , 2, 4, 1 2 = (Theory Learn) , 2, 4, 1 2, 1 4

111 ICCAD 2009 Tutorial p. 66/78 Example with Minimized Learned Clauses g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Decide) 1 2 d 4 d 1, 2, 4 = (Theory Learn) 1 2 d 4 d 1, 2, 4, 1 2 = (Backjump) 1 2 1, 2, 4, 1 2 = (UnitProp) , 2, 4, 1 2 = (Theory Learn) , 2, 4, 1 2, 1 4 = (Fail) fail

112 ICCAD 2009 Tutorial p. 67/78 Early Conflict Detection So far, we have indicated that we will check M for T -satisfiability only when a pseudo-final state is reached. In contrast, we could check M for T -satisfiability every time M changes, possibly resulting in earlier detection of conflicts. Experimental results show that this approach is significantly better. It requires Sat T to be online: able quickly to determine the consistency of incrementally more literals or to backtrack to a previous state. It also requires that the SAT solver be instrumented to call Sat T every time a variable is assigned a value.

113 ICCAD 2009 Tutorial p. 68/78 Example with Early Conflict Detection g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4

114 ICCAD 2009 Tutorial p. 68/78 Example with Early Conflict Detection g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4

115 ICCAD 2009 Tutorial p. 68/78 Example with Early Conflict Detection g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4

116 ICCAD 2009 Tutorial p. 68/78 Example with Early Conflict Detection g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Theory Learn) 1 2 d 1, 2, 4, 1 2

117 ICCAD 2009 Tutorial p. 68/78 Example with Early Conflict Detection g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Theory Learn) 1 2 d 1, 2, 4, 1 2 = (Backjump) 1 2 1, 2, 4, 1 2

118 ICCAD 2009 Tutorial p. 68/78 Example with Early Conflict Detection g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Theory Learn) 1 2 d 1, 2, 4, 1 2 = (Backjump) 1 2 1, 2, 4, 1 2 = (UnitProp) , 2, 4, 1 2

119 ICCAD 2009 Tutorial p. 68/78 Example with Early Conflict Detection g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Theory Learn) 1 2 d 1, 2, 4, 1 2 = (Backjump) 1 2 1, 2, 4, 1 2 = (UnitProp) , 2, 4, 1 2 = (Theory Learn) , 2, 4, 1 2, 1 4

120 ICCAD 2009 Tutorial p. 68/78 Example with Early Conflict Detection g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Decide) 1 2 d 1, 2, 4 = (Theory Learn) 1 2 d 1, 2, 4, 1 2 = (Backjump) 1 2 1, 2, 4, 1 2 = (UnitProp) , 2, 4, 1 2 = (Theory Learn) , 2, 4, 1 2, 1 4 = (Fail) fail

121 ICCAD 2009 Tutorial p. 69/78 Theory Propagation A final improvement is to add the following rule: Theory Propagate : M F = M l F if 8 >< >: M = T l l or l occurs in F l is undefined in M This rule allows Sat T to inform the SAT solver if it is able to deduce that an unassigned literal is entailed by the current set of literals (M). Experimental results show that this can also be very helpful in practice. Techniques for implementing theory propagation vary by solver and by theory.

122 ICCAD 2009 Tutorial p. 70/78 Example with Theory Propagation g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4

123 ICCAD 2009 Tutorial p. 70/78 Example with Theory Propagation g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4

124 ICCAD 2009 Tutorial p. 70/78 Example with Theory Propagation g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Theory Propagate) 1 2 1, 2, 4

125 ICCAD 2009 Tutorial p. 70/78 Example with Theory Propagation g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Theory Propagate) 1 2 1, 2, 4 = (UnitProp) 1 2 1, 2, 4

126 ICCAD 2009 Tutorial p. 70/78 Example with Theory Propagation g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Theory Propagate) 1 2 1, 2, 4 = (UnitProp) 1 2 1, 2, 4 = (Theory Propagate) , 2, 4

127 ICCAD 2009 Tutorial p. 70/78 Example with Theory Propagation g(a) = c 1 f(g(a)) f(c) 2 g(a) = d c d 4 g(a) d 1, 2, 4 = (UnitProp) 1 1, 2, 4 = (Theory Propagate) 1 2 1, 2, 4 = (UnitProp) 1 2 1, 2, 4 = (Theory Propagate) , 2, 4 = (Fail) fail

128 ICCAD 2009 Tutorial p. 71/78 Roadmap From SAT to SMT Abstract DPLL Abstract DPLL Modulo Theories Key Optimizations Quantifier Instantiation

129 ICCAD 2009 Tutorial p. 72/78 Quantifiers The Abstract DPLL Modulo Theories framework can also be extended to include rules for quantifier instantiation [GBT07]. First, we extend the notion of literal to that of an abstract literal which may include quantified formulas in place of atomic formulas. Add two additional rules: Inst_ : M F = M F, ( x. P P[x/sk]) if Inst_ : M F = M F, ( x. P P[x/t]) if 8 < : 8 < : x P is an abstract literal in M sk is a fresh constant. x P is an abstract literal in M t is a ground term.

130 ICCAD 2009 Tutorial p. 7/78 An Example Suppose a and b are constant symbols and f is an uninterpreted function symbol. We show how to prove the validity of the following formula: (0 b ( x. 0 x f(x) = a)) f(b) = a We first negate the formula and put it into abstract CNF. The result is three unit clauses: (0 b) ( x. ( 0 x f(x) = a)) ( f(b) = a)

131 ICCAD 2009 Tutorial p. 74/78 An Example Let l 1,l 2,l denote the three abstract literals in the above clauses. Then the following is a derivation in the extended framework: (l 1 )(l 2 )(l ) = (UnitProp) l 1,l 2,l (l 1 )(l 2 )(l ) = (Inst_ ) l 1,l 2,l (l 1 )(l 2 )(l )( (0 b) f(b) = a) = (Fail) fail The last transition is possible because M falsifies the last clause in F and contains no decisions (case-splits). As a result, we may conclude that the original set of clauses is unsatisfiable, which implies that the original formula is valid.

132 ICCAD 2009 Tutorial p. 75/78 Quantifiers The simple technique of quantifier instantiation is remarkably effective on verification benchmarks. The main difficulty is coming up with the right terms to instantiate. Matching techniques pioneered by Simplify [DNS0] have recently been adopted and improved by several modern SMT solvers [FJS04, BdM07, GBT07].

133 ICCAD 2009 Tutorial p. 76/78 References [BdM07] [BDS02a] [CG96] [dmrs02] [DNS0] Nikolaj Bjørner and Leonardo de Moura. Efficient E-matching for SMT solvers. In Frank Pfenning, editor, Proceedings of the 21 st International Conference on Automated Deduction (CADE 07), volume 460 of Lecture Notes in Artificial Intelligence, pages Springer-Verlag, July 2007 Clark W. Barrett, David L. Dill, and Aaron Stump. Checking satisfiability of first-order formulas by incremental translation to SAT. In Ed Brinksma and Kim Guldstrand Larsen, editors, Proceedings of the 14 th International Conference on Computer Aided Verification (CAV 02), volume 2404 of Lecture Notes in Computer Science, pages Springer-Verlag, July Copenhagen, Denmark B. V. Cherkassy and A. V. Goldberg. Negative-cycle detection algorithms. In European Symposium on Algorithms, pages 49 6, 1996 L. de Moura, H. Rueß, and M. Sorea. Lazy Theorem Proving for Bounded Model Checking over Infinite Domains. In Proc. of the 18th International Conference on Automated Deduction, volume 292 of LNCS, pages Springer, July 2002 David Detlefs, Greg Nelson, and James B. Saxe. Simplify: A theorem prover for program checking. Technical Report HPL , HP Laboratories Palo Alto, 200

134 ICCAD 2009 Tutorial p. 77/78 References [DST80] [FJS04] [GBT07] [NO79] [NO80] P. J. Downey, R. Sethi, and R. E. Tarjan. Variations on the common subexpression problem. Journal of the Association for Computing Machinery, 27(4): , October 1980 Cormac Flanagan, Rajeev Joshi, and James B. Saxe. An explicating theorem prover for quantified formulas. Technical Report HPL , HP Laboratories Palo Alto, 2004 Yeting Ge, Clark Barrett, and Cesare Tinelli. Solving quantified verification conditions using satisfiability modulo theories. In Frank Pfenning, editor, Proceedings of the 21 st International Conference on Automated Deduction (CADE 07), volume 460 of Lecture Notes in Artificial Intelligence, pages Springer-Verlag, July Bremen, Germany Greg Nelson and Derek C. Oppen. Simplification by cooperating decision procedures. ACM Trans. on Programming Languages and Systems, 1(2): , October 1979 Greg Nelson and Derek C. Oppen. Fast decision procedures based on congruence closure. Journal of the ACM, 27(2):56 64, 1980

135 ICCAD 2009 Tutorial p. 78/78 References [NO05] [NOT06] [TH96] Robert Nieuwenhuis and Albert Oliveras. DPLL(T) with exhaustive theory propagation and its application to difference logic. In Kousha Etessami and Sriram K. Rajamani, editors, Proceedings of the 17 th International Conference on Computer Aided Verification (CAV 05), volume 576 of Lecture Notes in Computer Science, pages Springer, July 2005 Robert Nieuwenhuis, Albert Oliveras, and Cesare Tinelli. Solving SAT and SAT Modulo Theories: from an Abstract Davis-Putnam-Logemann-Loveland Procedure to DPLL(T). Journal of the ACM, 5(6):97 977, November 2006 C. Tinelli and M. Harandi. A new correctness proof of the nelson-oppen combination procedure. In F. Baader and K. Schulz, editors, 1st International Workshop on Frontiers of Combining Systems (FroCoS 96), volume of Applied Logic Series. Kluwer Academic Publishers, 1996

WHAT IS AN SMT SOLVER? Jaeheon Yi - April 17, 2008

WHAT IS AN SMT SOLVER? Jaeheon Yi - April 17, 2008 WHAT I LL TALK ABOUT Propositional Logic Terminology, Satisfiability, Decision Procedure First-Order Logic Terminology, Background Theories Satisfiability