# On deciding satisfiability by DPLL(+T) and unsound theorem...

### Transcript of On deciding satisfiability by DPLL(+T) and unsound theorem...

OutlineMotivation: reasoning for SW verification

Idea: Unsound theorem proving to get decision proceduresDPLL(Γ+T ) with UTP: SMT-solver+Superposition+UTP

Decision procedures for type systemsDiscussion

On deciding satisfiability by DPLL(Γ+T ) andunsound theorem proving

Maria Paola Bonacina1

Dipartimento di Informatica

Universita degli Studi di Verona

Verona, Italy

August 4, 2009

1Joint work with Chris Lynch (Department of Mathematics and ComputerScience, Clarkson University, NY, USA) and Leonardo de Moura (MicrosoftResearch, Redmond, WA, USA)

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Idea: Unsound theorem proving to get decision proceduresDPLL(Γ+T ) with UTP: SMT-solver+Superposition+UTP

Decision procedures for type systemsDiscussion

Motivation: reasoning for SW verification

Idea: Unsound theorem proving to get decision procedures

DPLL(Γ+T ) with UTP: SMT-solver+Superposition+UTP

Decision procedures for type systems

Discussion

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Idea: Unsound theorem proving to get decision proceduresDPLL(Γ+T ) with UTP: SMT-solver+Superposition+UTP

Decision procedures for type systemsDiscussion

Problem statement

◮ Decide satisfiability of first-order formulægenerated by SW verification tools

◮ Satisfiability w.r.t. background theories

(e.g., linear arithmetic, bitvectors)

◮ With quantifiers to write, e.g.,◮ frame conditions over loops◮ auxiliary invariants over heaps◮ axioms of type systems and◮ application-specific theories without decision procedure

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Shape of problem

◮ Background theory T◮ T =

⋃n

i=1 Ti , e.g., linear arithmetic, bit-vectors

◮ Set of formulæ: R∪ P◮ R: set of non-ground clauses without T -symbols◮ P : large ground formula (set of ground clauses)

may contain T -symbols

◮ Determine whether R∪ P is satisfiable modulo T(Equivalently: determine whether T ∪ R ∪ P is satisfiable)

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Tools

◮ Davis-Putnam-Logemann-Loveland (DPLL) procedure for SAT

◮ Ti -solvers: Satisfiability procedures for the Ti ’s

◮ DPLL(T )-based SMT-solver: Decision procedure for T withNelson-Oppen combination of the Ti -sat procedures

◮ First-order engine Γ to handle R (additional theory):Resolution+Rewriting+Superposition: Superposition-based

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Combining strengths of different tools

◮ DPLL: SAT-problems; large non-Horn clauses

◮ Theory solvers: linear arithmetic, bitvectors

◮ DPLL(T )-based SMT-solver: efficient, scalable, integratedtheory reasoning

◮ Superposition-based inference system Γ:◮ equalities, Horn clauses, universal quantifiers◮ known to be a sat-procedure for several theories of data

structures

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

How to get decision procedures?

◮ During SW development conjectures are usually false due tomistakes in implementation or specification

◮ Need theorem prover that terminates on satisfiable inputs

◮ Not possible in general:◮ FOL is only semi-decidable◮ First-order formulæ of linear arithmetic with uninterpreted

functions: not even semi-decidable

However we need less than a general solution.

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Problematic axioms do occur in relevant inputs

⊑: subtype relationf : type constructor (e.g., Array-of)

◮ Transitivity

¬(x ⊑ y) ∨ ¬(y ⊑ z) ∨ x ⊑ z

◮ Monotonicity

¬(x ⊑ y) ∨ f (x) ⊑ f (y)

Resolution generates unbounded number of clauses(even with negative selection)

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

In practice we need finitely many

Example:

1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)

2. a ⊑ b generate

3. {f i (a) ⊑ f i(b)}i≥0

In practice f (a) ⊑ f (b) or f 2(a) ⊑ f 2(b) often suffice to showsatisfiability

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Idea: Unsound theorem proving

◮ TP applied to maths: most conjectures are true

◮ Sacrifice completeness for efficiencyRetain soundness: if proof found, input unsatisfiable

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Idea: Unsound theorem proving

◮ TP applied to maths: most conjectures are true

◮ Sacrifice completeness for efficiencyRetain soundness: if proof found, input unsatisfiable

◮ TP applied to verification: most conjectures are false

◮ Sacrifice soundness for terminationRetain completeness: if no proof, input satisfiable

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Idea: Unsound theorem proving

◮ TP applied to maths: most conjectures are true

◮ Sacrifice completeness for efficiencyRetain soundness: if proof found, input unsatisfiable

◮ TP applied to verification: most conjectures are false

◮ Sacrifice soundness for terminationRetain completeness: if no proof, input satisfiable

◮ How do we do it: Additional axioms to enforce termination

◮ Detect unsoundness as conflict + Recover by backtracking

(DPLL framework)

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Example

1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)

2. a ⊑ b

3. a ⊑ f (c)

4. ¬(a ⊑ c)

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Example

1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)

2. a ⊑ b

3. a ⊑ f (c)

4. ¬(a ⊑ c)

1. Add f (x) ≃ x

2. Rewrite a ⊑ f (c) into a ⊑ c and get 2: backtrack!

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Example

1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)

2. a ⊑ b

3. a ⊑ f (c)

4. ¬(a ⊑ c)

1. Add f (x) ≃ x

2. Rewrite a ⊑ f (c) into a ⊑ c and get 2: backtrack!

3. Add f (f (x)) ≃ x

4. a ⊑ b yields only f (a) ⊑ f (b)

5. a ⊑ f (c) yields only f (a) ⊑ c

6. Reach saturated state and detect satisfiability

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

DPLL

State of derivation: M ||F

◮ Decide: guess L is true, add it to M (decided literals)

◮ UnitPropagate: propagate consequences of assignment(implied literals)

◮ Conflict: detect L1 ∨ . . . ∨ Ln all false

◮ Explain: unfold implied literals and detect decided Li inconflict clause

◮ Learn: may learn conflict clause

◮ Backjump: undo assignment for Li

◮ Unsat: conflict clause is 2 (nothing else to try)

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

DPLL(T )

State of derivation: M ||F

◮ T -Propagate: add to M an L that is T -consequence of M

◮ T -Conflict: detect that L1, . . . ,Ln in M are T -inconsistent

Since Ti -solvers build T -model:

◮ PropagateEq: add to M a ground s ≃ t true in T -model

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

DPLL(Γ+T ): integrate Γ in DPLL(T )

◮ Idea: literals in M can be premises of Γ-inferences

◮ Stored as hypotheses in inferred clause

◮ Hypothetical clause: H ⊲ C (equivalent to ¬H ∨ C )

◮ Inferred clauses inherit hypotheses from premises

◮ Note: don’t need Γ for ground inferences

◮ Use each engine for what is best for:◮ Γ works on non-ground clauses and ground unit clauses◮ DPLL(T ) works on all and only ground clauses

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

DPLL(Γ+T )

State of derivation: M ||F

F : set of hypothetical clauses

◮ Deduce: Γ-inference, e.g., superposition, using non-ground

clauses in F and literals in M

◮ Backjump: remove hypothetical clauses depending on undoneassignments

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Unsound inferences

◮ Single unsound inference rule: add arbitrary clause C

◮ Simulate many:◮ Suppress literals in long clause C ∨ D:

add C and subsume◮ Replace deep term t by constant a:

add t ≃ a and rewrite

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Controlling unsound inferences

◮ Unsound inferences to induce termination on sat input

◮ What if the unsound inference makes problem unsat?!

◮ Detect conflict and backjump:◮ Keep track by adding ⌈C⌉ ⊲ C◮ ⌈C⌉: new propositional variable (a “name” for C )◮ Treat “unnatural failure” like “natural failure”

◮ Thus unsound inferences are reversible

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Unsound theorem proving in DPLL(Γ+T )

State of derivation: M ||F

Inference rule:

◮ UnsoundIntro: add ⌈C⌉ ⊲ C to F and ⌈C⌉ to M

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Example as done by system

1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)

2. a ⊑ b

3. a ⊑ f (c)

4. ¬(a ⊑ c)

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Example as done by system

1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)

2. a ⊑ b

3. a ⊑ f (c)

4. ¬(a ⊑ c)

1. Add ⌈f (x) ≃ x⌉ ⊲ f (x) ≃ x

2. Rewrite a ⊑ f (c) into ⌈f (x) ≃ x⌉ ⊲ a ⊑ c

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Example as done by system

1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)

2. a ⊑ b

3. a ⊑ f (c)

4. ¬(a ⊑ c)

1. Add ⌈f (x) ≃ x⌉ ⊲ f (x) ≃ x

2. Rewrite a ⊑ f (c) into ⌈f (x) ≃ x⌉ ⊲ a ⊑ c

3. Generate ⌈f (x) ≃ x⌉ ⊲ 2; Backtrack, learn ¬⌈f (x) ≃ x⌉

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Example as done by system

1. ¬(x ⊑ y) ∨ f (x) ⊑ f (y)

2. a ⊑ b

3. a ⊑ f (c)

4. ¬(a ⊑ c)

1. Add ⌈f (x) ≃ x⌉ ⊲ f (x) ≃ x

2. Rewrite a ⊑ f (c) into ⌈f (x) ≃ x⌉ ⊲ a ⊑ c

3. Generate ⌈f (x) ≃ x⌉ ⊲ 2; Backtrack, learn ¬⌈f (x) ≃ x⌉

4. Add ⌈f (f (x)) ≃ x⌉ ⊲ f (f (x)) ≃ x

5. a ⊑ b yields only f (a) ⊑ f (b)

6. a ⊑ f (c) yields only f (a) ⊑ f (f (c))rewritten to ⌈f (f (x)) = x⌉ ⊲ f (a) ⊑ c

7. Reach saturated state and detect satisfiability

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Issues about completeness

◮ Γ is refutationally complete

◮ Since Γ does not see all the clauses, DPLL(Γ + T ) does notinherit refutational completeness trivially

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Issues about completeness

◮ Γ is refutationally complete

◮ Since Γ does not see all the clauses, DPLL(Γ + T ) does notinherit refutational completeness trivially

◮ DPLL(T ) has depth-first search: complete for ground SMTproblems, not when injecting non-ground inferences

◮ Solution: iterative deepening on inference depth

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Issues about completeness

◮ Γ is refutationally complete

◮ Since Γ does not see all the clauses, DPLL(Γ + T ) does notinherit refutational completeness trivially

◮ DPLL(T ) has depth-first search: complete for ground SMTproblems, not when injecting non-ground inferences

◮ Solution: iterative deepening on inference depth

◮ However refutationally complete only for T emptyExample: R = {x = a ∨ x = b}, P = ∅, T is arithmeticUnsat but can’t tell!

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Solution

◮ Sufficient condition for refutational completeness with T 6= ∅:R be variable-inactive (tested automatically by Γ)

◮ it implies stable-infiniteness(needed for completeness of Nelson-Oppen combination)

◮ it excludes cardinality constraints (e.g., x = a ∨ x = b)

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Solution

◮ Sufficient condition for refutational completeness with T 6= ∅:R be variable-inactive (tested automatically by Γ)

◮ it implies stable-infiniteness(needed for completeness of Nelson-Oppen combination)

◮ it excludes cardinality constraints (e.g., x = a ∨ x = b)

◮ Use iterative deepening on both Deduce and UnsoundIntro

to impose also termination: DPLL(Γ+T ) gets “stuck” at k

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

How to get decision procedures

To decide satisfiability modulo T of R∪ P :

◮ Find sequence of “unsound axioms” U

◮ Show that there exists k s.t. k-bounded DPLL(Γ+T ) isguaranteed to terminate

◮ with Unsat if R∪ P is T -unsat◮ in a state which is not stuck at k if R∪ P is T -sat

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Decision procedures

◮ R has single monadic function symbol f

◮ Essentially finite: if R ∪ P is sat, has model where range of f

is finite

◮ Such a model satisfies f j(x) ≃ f k(x) for some j 6= k

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Decision procedures

◮ R has single monadic function symbol f

◮ Essentially finite: if R ∪ P is sat, has model where range of f

is finite

◮ Such a model satisfies f j(x) ≃ f k(x) for some j 6= k

◮ UnsoundIntro adds “pseudo-axioms” f j(x) ≃ f k(x) for j > k

◮ Use f j(x) ≃ f k(x) as rewrite rule to limit term depth

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Decision procedures

◮ R has single monadic function symbol f

◮ Essentially finite: if R ∪ P is sat, has model where range of f

is finite

◮ Such a model satisfies f j(x) ≃ f k(x) for some j 6= k

◮ UnsoundIntro adds “pseudo-axioms” f j(x) ≃ f k(x) for j > k

◮ Use f j(x) ≃ f k(x) as rewrite rule to limit term depth

◮ Clause length limited by properties of Γ and R

◮ Only finitely many clauses generated: termination withoutgetting stuck

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Situations where clause length is limited

Γ: Superposition, Hyperresolution, Simplification

Negative selection: only positive literals in positive clauses areactive

◮ R is Horn

◮ R is ground-preserving: variables in positive literals appearalso in negative literals;the only positive clauses are ground

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Concrete examples of essentially finite theories

Axiomatizations of type systems:

Reflexivity x ⊑ x (1)

Transitivity ¬(x ⊑ y) ∨ ¬(y ⊑ z) ∨ x ⊑ z (2)

Anti-Symmetry ¬(x ⊑ y) ∨ ¬(y ⊑ x) ∨ x ≃ y (3)

Monotonicity ¬(x ⊑ y) ∨ f (x) ⊑ f (y) (4)

Tree-Property ¬(z ⊑ x) ∨ ¬(z ⊑ y) ∨ x ⊑ y ∨ y ⊑ x (5)

MI = {(1), (2), (3), (4)}: type system with multiple inheritance

SI = MI ∪ {(5)}: type system with single inheritance

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Concrete examples of decision procedures

DPLL(Γ+T ) with UnsoundIntro adding f j(x) ≃ f k(x) for j > k

decides the satisfiability modulo T of problems

◮ MI ∪ P (MI is Horn)

◮ SI ∪ P (all ground-preserving except Reflexivity)

◮ MI ∪ TR ∪ P and SI ∪ TR ∪ P (by combination)

TR = {¬(g(x) ≃ null), h(g(x)) ≃ x}where g represents the type representative of a type.

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem

OutlineMotivation: reasoning for SW verification

Decision procedures for type systemsDiscussion

Summary of contributions and directions for future work

◮ DPLL(Γ+T ) + unsound TP: termination

◮ Decision procedures for type systems with multiple/singleinheritance used in ESC/Java and Spec#

◮ DPLL(Γ+T ) + variable-inactivity: completeness for T 6= ∅and combination of both built-in and axiomatized theories

◮ Extension to more presentations(e.g., y ⊑ x ∧ u ⊑ v ⊃ map(x , u) ⊑ map(y , v))

◮ Avoid duplication of reasoning on ground unit clauses

Maria Paola Bonacina On deciding satisfiability by DPLL(Γ+T ) and unsound theorem