Loading Chapters/Chapter02.tex +116 −106 Original line number Original line Diff line number Diff line Loading @@ -114,7 +114,7 @@ Tseitin transformation can be used to transform every formula to a equisatisfiable formula in \cnf with only linear increase of its equisatisfiable formula in \cnf with only linear increase of its size~\cite{Tse68}. size~\cite{Tse68}. \subsection{DPLL} \subsection{Davis--Putnam--Logemann--Loveland algorithm} Historically, the first procedure to solve \sat without explicitly Historically, the first procedure to solve \sat without explicitly computing the truth table of the formula was proposed by Davis and computing the truth table of the formula was proposed by Davis and Loading @@ -129,16 +129,18 @@ exponentially even for simple formulas. To alleviate this problem, the refinement of \dppr algorithm was introduced in 1962 by Davis, Putnam, refinement of \dppr algorithm was introduced in 1962 by Davis, Putnam, Logemann and Loveland~\cite{DPLL62}. Logemann and Loveland~\cite{DPLL62}. The Davis--Putnam--Logemann--Loveland algorithm (\dpll) iterativelly The Davis--Putnam--Logemann--Loveland \quotegraffito{If you don't know tries to build a satisfying assignment by deciding values of the where you are going any road can take you there.}{Alice in propositional variables and it backtracks if any of the input clauses Wonderland} algorithm (\dpll) iterativelly tries to build a becomes false in the current assignment. A key procedure guiding the satisfying assignment by deciding values of the propositional \dpll search is the \emph{unit clause rule}, which is based on the variables and it backtracks if any of the input clauses becomes false observation that if a formula contains a clause $C$ that is unit in in the current assignment. A key procedure guiding the \dpll search is the current assignment, the only way to build a satisfying assignment the \emph{unit clause rule}, which is based on the observation that if is to add the sole undefined literal of $C$ to $M$. The iterated a formula contains a clause $C$ that is unit in the current application of the unit clause rule is called \emph{unit propagation} assignment, the only way to build a satisfying assignment is to add or \emph{Boolean constraint propagation} (\bcp)~\cite{ZM88}. The \dpll the sole undefined literal of $C$ to $M$. The iterated application of the unit clause rule is called \emph{unit propagation} or \emph{Boolean constraint propagation} (\bcp)~\cite{ZM88}. The \dpll search consists of decision and propagation steps. In decision steps, search consists of decision and propagation steps. In decision steps, a variable and its new value are chosen and added to the current a variable and its new value are chosen and added to the current partial assignment. After each decision step, the \bcp is performed to partial assignment. After each decision step, the \bcp is performed to Loading Loading @@ -278,10 +280,12 @@ Notable examples of decidable first-order theories include all structures from $\teuf$ that are isomorphic to real numbers and all structures from $\teuf$ that are isomorphic to real numbers and interpret the function $+$ as addition, and the predicate $\leq$ as interpret the function $+$ as addition, and the predicate $\leq$ as the real comparison; the real comparison; \item the theory of \emph{real arithmetic}, which consists of all \item the theory of \emph{real arithmetic}\marginpar{In contrast to structures from $\teuf$ that are isomorphic to real numbers and real arithmetic, integer arithmetic with multiplication was shown interpret the function $+$ as addition, $\times$ as multiplication, to be undecidable by Gödel.}, which consists of all structures and the predicate $\leq$ as the real comparison; from $\teuf$ that are isomorphic to real numbers and interpret the function $+$ as addition, $\times$ as multiplication, and the predicate $\leq$ as the real comparison; \item the theory of \emph{arrays}, which consists of all structures \item the theory of \emph{arrays}, which consists of all structures from $\teuf$ isomorphic to the set of arrays with a binary function from $\teuf$ isomorphic to the set of arrays with a binary function $read(a, i)$ interpreted as a value in the index $i$ of the array $read(a, i)$ interpreted as a value in the index $i$ of the array Loading @@ -293,7 +297,7 @@ For a detailed description of these theories and implementation of the respective $T$-solvers, we refer the reader for example to the book of respective $T$-solvers, we refer the reader for example to the book of Bradley and Manna~\cite{BM07}.\marginpar{TODO: paragraph about combination of theories} Bradley and Manna~\cite{BM07}.\marginpar{TODO: paragraph about combination of theories} \subsection{DPLL(T)} \subsection{DPLL modulo theories} Most of the \smt approaches can be classified as \emph{eager} or Most of the \smt approaches can be classified as \emph{eager} or \emph{lazy}~\cite{BSST09}. The eager \smt approach consists in \emph{lazy}~\cite{BSST09}. The eager \smt approach consists in Loading Loading @@ -364,8 +368,8 @@ Z3~\cite{Z3}.\marginpar{TODO: Přetok} \label{ssec:natDomainSat} \label{ssec:natDomainSat} Although the separation of the Boolean and theory reasoning in the Although the separation of the Boolean and theory reasoning in the \dpll approach allows the solver to be modular, it can be also \dpll approach allows the solver to be modular, it can be also restricting in some cases. In particular, the \dpllt based solvers can restricting in some cases. In particular, \dpllt based solvers can not not directly reason about values of first-order variables, but have to directly reason about values of first-order variables, but have to rely on the $T$-solver guiding the search over Boolean rely on the $T$-solver guiding the search over Boolean valuations. While there are some techniques like \emph{splitting on valuations. While there are some techniques like \emph{splitting on demand}~\cite{BNOT06} , which allow the $T$-solver to add new atoms demand}~\cite{BNOT06} , which allow the $T$-solver to add new atoms Loading Loading @@ -472,19 +476,19 @@ and uninterpreted functions~\cite{McM11}. The \emph{theory of fixed sized bit-vectors (\BV)} is a multi-sorted The \emph{theory of fixed sized bit-vectors (\BV)} is a multi-sorted first-order theory with infinitely many sorts $\sort{n}$ corresponding first-order theory with infinitely many sorts $\sort{n}$ corresponding to bit-vectors of length $n$. The only predicate symbols in the \BV to bit-vectors of length $n$. The only predicate symbols in the \BV theory are $=$, $\leq_u$, and $\leq_s$, representing equality, theory are $=$, $\leq_u$, and $\leq_s$, interpretead as equality, unsigned inequality of binary-encoded natural numbers, and signed unsigned inequality of binary-encoded natural numbers, and signed inequality of integers in $2$'s complement representation, inequality of integers in $2$'s complement representation, respectively. Function symbols in the theory are respectively. Function symbols in the theory are $+, \times, \div, \&, \mid, \oplus, \ll, \gg, \cdot, \extract{n}{p}$, $+, \times, \div, \&, \mid, \oplus, \ll, \gg, \cdot, \extract{n}{p}$, representing addition, multiplication, unsigned division, bit-wise interpreted as addition, multiplication, unsigned division, bit-wise and, bit-wise or, bit-wise exclusive or, left-shift, right-shift, and, bit-wise or, bit-wise exclusive or, left-shift, right-shift, concatenation, and extraction of $n$ bits starting from the position concatenation, and extraction of $n$ bits starting from the position $p$, respectively. For detailed description of the \BV theory syntax $p$, respectively. For the detailed description of the \BV theory and semantics, see for example Hadarean's PhD syntax and semantics, see for example Hadarean's PhD thesis~\cite{Had15}. This section focuses on the problem of thesis~\cite{Had15}. This section focuses on the problem of satisfiability of the quantifier-free fragment of the \BV theory, satisfiability of the quantifier-free fragment of the \BV theory, denoted \QFBV. %The the full \BV logic is treated in the next section. denoted \QFBV. The the full \BV logic is treated in the next section. Current state-of-the-art \smt solvers for the \QFBV logic rely on Current state-of-the-art \smt solvers for the \QFBV logic rely on rewriting techniques, used to simplify the formula during the rewriting techniques, used to simplify the formula during the Loading @@ -505,14 +509,16 @@ possibly faster but incomplete sub-solvers for equality and inequality reasoning and if the sub-solvers are not sufficient for deciding the reasoning and if the sub-solvers are not sufficient for deciding the satisfiability of the formula, theory lemmas and propagated literals satisfiability of the formula, theory lemmas and propagated literals generated by the sub-solvers are added to the formula and a lazy generated by the sub-solvers are added to the formula and a lazy \dpllt bit-blasting solver is employed~\cite{HBJBT14}. \dpllt bit-blasting solver is employed~\cite{HBJBT14}. \marginpar{TODO: Nepřidat odstavec o propagating-complete \cnf encodings?} \subsection{Word-level techinques} \subsection{Word-level techinques} Although bit-blasting is highly efficient for most of practical Although bit-blasting is highly efficient for most of practical problems, it can exhaust memory if the input formula contains complex problems, it can exhaust memory of the solver if the input formula arithmetic or variables with large bit-width. Several techniques that contains complex arithmetic or variables with large bit-width. Several which avoid the bit-blasting have been proposed to alleviate this techniques that avoid the bit-blasting have been proposed to alleviate problem. this problem. Some useful fragments of the bit-vector theory can be solved by Some useful fragments of the bit-vector theory can be solved by specialized algorithms for deciding satisfiability. For example, specialized algorithms for deciding satisfiability. For example, Loading @@ -525,90 +531,93 @@ used for deciding satisfiability of bit-vector formulas that contain only arithmetic and no bit-wise operations~\cite{BM05}. only arithmetic and no bit-wise operations~\cite{BM05}. Recently, an instance of the model-constructing satisfiability Recently, an instance of the model-constructing satisfiability calculus introduced in subsection \ref{ssec:natDomainSat} was calculus, which was introduced in subsection \ref{ssec:natDomainSat}, implemented by Zeljić et al. in the solver \mcbv~\cite{ZWR16}. They was implemented by Zeljić et al. in the solver have extended the \mcsat framework by the ability to perform partial \mcbv~\cite{ZWR16}. Zeljić et al. have extended the \mcsat framework assignments and proposed heuristics for generalizing explanations of by the ability to perform partial assignments and have proposed bit-vector conflicts. For example, the solver \mcsat can perform the heuristics for generalizing explanations of bit-vector conflicts. For partial assignment $\extract{2}{0}(x) \mapsto 10$, denoting that the example, the solver \mcsat can perform the partial assignment two least significant bits of $x$ are $10$. To be able to efficiently $\extract{2}{0}(x) \mapsto 10$, denoting that the two least use such partial assignments, the solver \mcbv mantains an significant bits of $x$ are $10$. To be able to efficiently use such over-approximation of the set of models that are compatible with the partial assignments, the solver \mcbv mantains two over-approximations current partial assignment using bit-patterns and arithmetic of the set of models that are compatible with the current partial intervals. Bit-patterns are sequences of $0$, $1$ and $u$, which assignment -- using \emph{bit-patterns} and \emph{arithmetic represent undefined bits, and constrain the values of particular bits intervals}. Bit-patterns are sequences of $0$, $1$ and $u$, which in the assignment. Arithmetic intervals are pairs of bit-vector values represents undefined bit, and constrain the values of particular bits representing lower and upper bounds and constrain integral values of in the assignment. On the other hand, arithmetic intervals are pairs bit-vectors. Both bit-patterns and arithmetic intervals can be ordered of bit-vector values representing lower and upper bounds and constrain to form a lattice, in which the solver performs a search if a conflict integral values of bit-vectors. Both bit-patterns and arithmetic is detected in order to generalize from the conflict. intervals can be ordered to form a lattice in which the solver performs a search for a more general explanation if a conflict is detected. Another word-level approach for the full bit-vector theory is Another word-level approach for the full bit-vector theory is \emph{stochastic local search} (\sls), proposed for solving \emph{stochastic local search} (\sls), proposed for solving bit-vectors by Frohlich et al.~\cite{FBWH15} and subsequently improved bit-vectors by Frohlich et al.~\cite{FBWH15} and subsequently improved by Niemetz et al.~\cite{NPBF15,NPB16}. In the \sls approach, the by Niemetz et al.~\cite{NPBF15,NPB16}. In the \sls approach, the solver randomly chooses initial values of bit-vector variables and solver randomly chooses initial values of bit-vector variables and tries to find a satisfying assignment by performing random bit flips tries to find a satisfying assignment by performing random bit flips, guided by the scoring function based on the satisfaction of which are guided by the scoring function based on the satisfaction of subformulas of the input formula. Niemetz et al. have improved the subformulas of the input formula. Niemetz et al. have improved the \sls technique with the path-based propagation, which, instead of \sls technique with the \emph{path-based propagation}, which, instead relying solely on random modifications guided by the scoring function, of relying solely on random bit modifications guided by the scoring allows computing values of bit-vector variables that are necessary to function, allows computing values of bit-vector variables that are satisfy randomly selected subformulas. The \sls based solver has been necessary to satisfy randomly selected subformulas. The \sls based shown to be able to decide several formulas not decided by solver has been shown to be able to decide several formulas not bit-blasting solvers. To combine benefit of bit-blasting and \sls decided by bit-blasting solvers. To combine benefit of bit-blasting approaches, the latest version of Boolector, which have won the 2016 and \sls approaches, the latest version of Boolector, which have won SMT competition in category of unquantified bit-vectors, uses a the 2016 SMT competition in category of unquantified bit-vectors, uses protfolio approach which consists in first running a \sls based solver a protfolio approach, which consists in first running a \sls based for a short period of time and then running a bit-blasting solver if solver for a short period of time and then running a bit-blasting the \sls solver fails to solve the formula~\cite{BoolectorComp}. solver if the \sls solver fails to solve the formula~\cite{BoolectorComp}. \subsection{Preprocessing} \subsection{Preprocessing} For both bit-blasting and word-level approaches, a preprocessing of For both bit-blasting and word-level approaches, a preprocessing of the input formula is necessary for the efficiency of the the input formula is crucial for the efficiency of the solver. Therefore, modern SMT solvers employ hundreds of rewrite rules solver. Therefore, modern \smt solvers employ hundreds of rewrite in order to simplify the input formula. Franzén describes several rules in order to simplify the input formula~\cite{Fra10}. Franzén simplifications implemented in the solver MathSAT5: canonization, describes several classes of simplification methods implemented in the unconstrained variables propagation, packet splitting, and disjunctive solver MathSAT5: canonization, unconstrained variables propagation, partitioning~\cite{Fra10}. packet splitting, and disjunctive partitioning~\cite{Fra10}. The aim of the \emph{canonization} is converting subterms of the The aim of the \emph{canonization} is converting subterms of the formula to their canonical forms. For example $x + x = 0$ can be formula to their canonical forms. For example, the term $x - x$ can be rewritten to $2*x = 0$. Although efficient algorithms exist for rewritten to $0$. Although efficient algorithms exist for several several fragments of the \BV theory, like the core theory of fragments of the \BV theory, like the core theory of bit-vectors, the bit-vectors, the problem of computing the canonical form for the full problem of computing the canonical form for the full \BV theory is \BV theory is NP-hard~\cite{BDL98}. Therefore, SMT solvers usually do NP-hard~\cite{BDL98}. Therefore, SMT solvers usually do not compute not compute the canonical form, but rely on multiple heuristically the canonical form, but rely on multiple heuristically chosen rewrite chosen rewrite rules that produce the canonical form for simple rules that produce the canonical form for simple terms, but are not terms, but are not required to produce the canonical form in general. required to produce the canonical form of all terms. From the remaining simplification techniques presented by Franzén, we From the remaining simplification techniques presented by Franzén, we describe propagation of unconstrained variables in more detail, as it focus on propagation of unconstrained variables, as it is highly is highly relevant for software verification. relevant for software verification. A variable $x$ in the given formula is called \emph{unconstrained} if A variable $x$ in a formula is called \emph{unconstrained} if it it occurs only once in the formula. Brummayer~\cite{Brum10} and occurs only once in the formula. Brummayer~\cite{Brum10} and Bruttomesso~\cite{Bru08} independently observed that if an Bruttomesso~\cite{Bru08} have independently observed that if an unconstrained variable occurs as an argument to a function symbol, unconstrained variable occurs as an argument to a function symbol, which can be \emph{inverted} with respect to this argument, replacing which can be \emph{inverted} with respect to this argument, replacing this function with a fresh variable yields an equi-satisfiable this function with a fresh variable yields an equisatisfiable formula. Moreover, unconstrained variables often occur in the formula. Moreover, unconstrained variables often occur in the industrial benchmarks and especially in benchmarks comming from a industrial benchmarks and especially in benchmarks produced during a verification of programs in a single static assignment form, such as verification of programs in a single static assignment form, such as LLVM bit-code. LLVM bit-code. With a slight abuse of notation, which identifies interpreted function With a slight abuse of notation which identifies interpreted function symbols with their intended interpretations, a simple definition of symbols with their intended interpretations, a simple definition of invertibility for binary function symbols, which can be easily invertibility for binary function symbols, which can be easily generalized, is as follows. A binary function $f$ can be inverted with generalized, is as follows. A binary function $f$ can be inverted with respect to its first argument, if for every two values $a_i, a_o$, respect to its first argument if for every two values $a_i, a_o$ there there exists a value $b$ such that $f(b,a_i) = a_o$. For example, as exists a value $b$ such that $f(b,a_i) = a_o$. For example, as the the addition is invertible with respect to its first argument, the addition is invertible with respect to its first argument, the formula formula $\varphi \equiv x + (y * y - 30 * z * y) = 0$ can be $\varphi \equiv x + (y * y - 30 * z * y) = 0$ can be transformed to an transformed to an equi-satisfiable formula $v = 0$, where $v$ is a equisatisfiable formula $v = 0$, where $v$ is a fresh variable, fresh variable, because $x$ is unconstrained in $\varphi$. Note that in because $x$ is unconstrained in $\varphi$. Note that in contrast to contrast with the theory of integers, the function $f(x) = k \times x$ the theory of integers, the function $f(x) = k \times x$ is invertible is invertible precisely if $k$ is odd. in bit-vectors precisely if $k$ is odd. \section{Satisfiability of quantified bit-vector formulas} \section{Satisfiability of quantified bit-vector formulas} Loading Loading @@ -717,11 +726,11 @@ computational complexity perspective, as it is the first problem that was shown to be \NP-complete. The complexity of the satisfiability was shown to be \NP-complete. The complexity of the satisfiability problems for various variants of bit-vector theory have been recently problems for various variants of bit-vector theory have been recently studied and was shown to range from \NP-complete to studied and was shown to range from \NP-complete to 2-NEXPTIME-complete~\cite{KFB16}. In particular, interesting variants \NNEXPTIME-complete~\cite{KFB16}. In particular, interesting variants of the bit-vector satisfiability problem differ in allowing of the bit-vector satisfiability problem differ in allowing uninterpreted functions, allowing quantifiers, and in encoding of the uninterpreted functions, allowing quantifiers, and in encoding of the bit-widths (unary vs. binary). In the following, we follow the bit-widths (unary vs. binary). In the following, we follow the notation from of Kováznai et al~\cite{KFB16} -- decision problems for notation of Kováznai et al~\cite{KFB16} -- decision problems for quantifer-free fragments are dentoted by the prefix QF\_, the quantifer-free fragments are dentoted by the prefix QF\_, the combination with the theory of uninterpreted functions is denoted by combination with the theory of uninterpreted functions is denoted by the prefix UF, and the problems with unary and binary encoded the prefix UF, and the problems with unary and binary encoded Loading @@ -733,8 +742,8 @@ uninterpreted functions and binary encoded bit-withs. polynomial time reduction from QF\_BV1 to \sat, showing that QF\_BV1 polynomial time reduction from QF\_BV1 to \sat, showing that QF\_BV1 is in NP. A similar reduction from BV1 to \qbf can show that BV is in is in NP. A similar reduction from BV1 to \qbf can show that BV is in \PSPACE. For lower bounds, \NP-hardness of QF\_BV1 follows from a \PSPACE. For lower bounds, \NP-hardness of QF\_BV1 follows from a simple reduction from \sat, which encodes each propositional variable simple reduction from \sat, by encoding each propositional variable as as a bit-vector of bit-width 1, and similarly, BV1 can be shown to be a bit-vector of bit-width 1, and similarly, BV1 can be shown to be \PSPACE-hard. \PSPACE-hard. In quantifier-free formulas, uninterpreted functions can be eliminated In quantifier-free formulas, uninterpreted functions can be eliminated Loading @@ -742,26 +751,27 @@ by the Ackermann expansion with only quadratic increase in the size of the formula. Therefore, QF\_UFBV1 is in \NP. As the set of QF\_UFBV1 the formula. Therefore, QF\_UFBV1 is in \NP. As the set of QF\_UFBV1 formulas contains all QF\_BV1 formulas, QF\_UFBV1 is also NP-hard. The formulas contains all QF\_BV1 formulas, QF\_UFBV1 is also NP-hard. The case of UFBV1 is more involved. Wintersteiger et al. have shown that case of UFBV1 is more involved. Wintersteiger et al. have shown that UFBV1 is \NEXPTIME-complete by using \emph{effectively propositonal} UFBV1 is \NEXPTIME-complete by using \emph{effectively propositional} fragment of the first-order logic, which is well known to be fragment of the first-order logic, which is well known to be \NEXPTIME-complete~\cite{WHD13}. The class of effectively \NEXPTIME-complete~\cite{WHD13}. The class of effectively propositional formulas, also known as the Bernays--Schönfinkel class, \marginpar{The class of effectively propositional formulas is also known the Bernays--Schönfinkel class.} propositional formulas consists only of formulas in form $\exists^*\forall^*\varphi$, where consists only of formulas in form $\exists^*\forall^*\varphi$, where $\varphi$ does not contain any quantifiers or function symbols. $\varphi$ does not contain any quantifiers or function symbols. \paragraph{Binary encoded bit-widths} \paragraph{Binary encoded bit-widths} With binary encoded bit-widths, the bit-blasting may yield For formulas with binary encoded bit-widths, the bit-blasting may propositional formula that is exponentially larger than the original yield propositional formula that is exponentially larger than the input bit-vector formula, as the number of bits may be exponential original input bit-vector formula, as the number of bits may be with respect to the size of the formula. Therefore, bit-blasting shows exponential with respect to the size of the formula. Therefore, that QF\_BV2 is in \NEXPTIME. On the other hand, Kovásznai et al. have bit-blasting shows that QF\_BV2 is in \NEXPTIME. On the other hand, presented a polynomial time reduction of satisfiability of Kovásznai et al. have presented a polynomial time reduction of \emph{dependent quantified boolean formulas} (\dqbf) to QF\_BV2. Since satisfiability of \emph{dependent quantified boolean formulas} (\dqbf) \dqbf is well known to be \NEXPTIME-complete, this reduction shows to QF\_BV2. Since \dqbf is well known to be \NEXPTIME-complete, this \NEXPTIME-hardness of QF\_BV2~\cite{KFB12}. In contrast, the precise reduction shows \NEXPTIME-hardness of QF\_BV2~\cite{KFB12}. In complexity after adding quantifiers is not known. BV2 is known to be contrast, the precise complexity after adding quantifiers is not in \EXPSPACE and hence it contains all formulas from QF\_BV2, it is known. BV2 is known to be in \EXPSPACE and because it contains all also \NEXPTIME-hard. formulas from QF\_BV2, it is also \NEXPTIME-hard. Similarly to the case with the unary encoding, the complexity of the Similarly to the case with the unary encoding, the complexity of the quantifier-fre fragment stays the same when the uninterpreted quantifier-fre fragment stays the same when the uninterpreted Loading Includes/config.tex +3 −1 Original line number Original line Diff line number Diff line \theoremstyle{definition} \theoremstyle{definition} \newtheorem{exmp}{Example}[section] \newtheorem{exmp}{Example}[section] %\newcommand{\quotegraffito}[2]{\graffito{#1\\--~\emph{#2}}} No newline at end of file Includes/packages.tex +2 −1 Original line number Original line Diff line number Diff line \usepackage{amssymb} \usepackage{amssymb} \usepackage{amsthm} \usepackage{amsthm} \usepackage[strict]{changepage} \usepackage[strict]{changepage} \usepackage{cleveref} Loading
Chapters/Chapter02.tex +116 −106 Original line number Original line Diff line number Diff line Loading @@ -114,7 +114,7 @@ Tseitin transformation can be used to transform every formula to a equisatisfiable formula in \cnf with only linear increase of its equisatisfiable formula in \cnf with only linear increase of its size~\cite{Tse68}. size~\cite{Tse68}. \subsection{DPLL} \subsection{Davis--Putnam--Logemann--Loveland algorithm} Historically, the first procedure to solve \sat without explicitly Historically, the first procedure to solve \sat without explicitly computing the truth table of the formula was proposed by Davis and computing the truth table of the formula was proposed by Davis and Loading @@ -129,16 +129,18 @@ exponentially even for simple formulas. To alleviate this problem, the refinement of \dppr algorithm was introduced in 1962 by Davis, Putnam, refinement of \dppr algorithm was introduced in 1962 by Davis, Putnam, Logemann and Loveland~\cite{DPLL62}. Logemann and Loveland~\cite{DPLL62}. The Davis--Putnam--Logemann--Loveland algorithm (\dpll) iterativelly The Davis--Putnam--Logemann--Loveland \quotegraffito{If you don't know tries to build a satisfying assignment by deciding values of the where you are going any road can take you there.}{Alice in propositional variables and it backtracks if any of the input clauses Wonderland} algorithm (\dpll) iterativelly tries to build a becomes false in the current assignment. A key procedure guiding the satisfying assignment by deciding values of the propositional \dpll search is the \emph{unit clause rule}, which is based on the variables and it backtracks if any of the input clauses becomes false observation that if a formula contains a clause $C$ that is unit in in the current assignment. A key procedure guiding the \dpll search is the current assignment, the only way to build a satisfying assignment the \emph{unit clause rule}, which is based on the observation that if is to add the sole undefined literal of $C$ to $M$. The iterated a formula contains a clause $C$ that is unit in the current application of the unit clause rule is called \emph{unit propagation} assignment, the only way to build a satisfying assignment is to add or \emph{Boolean constraint propagation} (\bcp)~\cite{ZM88}. The \dpll the sole undefined literal of $C$ to $M$. The iterated application of the unit clause rule is called \emph{unit propagation} or \emph{Boolean constraint propagation} (\bcp)~\cite{ZM88}. The \dpll search consists of decision and propagation steps. In decision steps, search consists of decision and propagation steps. In decision steps, a variable and its new value are chosen and added to the current a variable and its new value are chosen and added to the current partial assignment. After each decision step, the \bcp is performed to partial assignment. After each decision step, the \bcp is performed to Loading Loading @@ -278,10 +280,12 @@ Notable examples of decidable first-order theories include all structures from $\teuf$ that are isomorphic to real numbers and all structures from $\teuf$ that are isomorphic to real numbers and interpret the function $+$ as addition, and the predicate $\leq$ as interpret the function $+$ as addition, and the predicate $\leq$ as the real comparison; the real comparison; \item the theory of \emph{real arithmetic}, which consists of all \item the theory of \emph{real arithmetic}\marginpar{In contrast to structures from $\teuf$ that are isomorphic to real numbers and real arithmetic, integer arithmetic with multiplication was shown interpret the function $+$ as addition, $\times$ as multiplication, to be undecidable by Gödel.}, which consists of all structures and the predicate $\leq$ as the real comparison; from $\teuf$ that are isomorphic to real numbers and interpret the function $+$ as addition, $\times$ as multiplication, and the predicate $\leq$ as the real comparison; \item the theory of \emph{arrays}, which consists of all structures \item the theory of \emph{arrays}, which consists of all structures from $\teuf$ isomorphic to the set of arrays with a binary function from $\teuf$ isomorphic to the set of arrays with a binary function $read(a, i)$ interpreted as a value in the index $i$ of the array $read(a, i)$ interpreted as a value in the index $i$ of the array Loading @@ -293,7 +297,7 @@ For a detailed description of these theories and implementation of the respective $T$-solvers, we refer the reader for example to the book of respective $T$-solvers, we refer the reader for example to the book of Bradley and Manna~\cite{BM07}.\marginpar{TODO: paragraph about combination of theories} Bradley and Manna~\cite{BM07}.\marginpar{TODO: paragraph about combination of theories} \subsection{DPLL(T)} \subsection{DPLL modulo theories} Most of the \smt approaches can be classified as \emph{eager} or Most of the \smt approaches can be classified as \emph{eager} or \emph{lazy}~\cite{BSST09}. The eager \smt approach consists in \emph{lazy}~\cite{BSST09}. The eager \smt approach consists in Loading Loading @@ -364,8 +368,8 @@ Z3~\cite{Z3}.\marginpar{TODO: Přetok} \label{ssec:natDomainSat} \label{ssec:natDomainSat} Although the separation of the Boolean and theory reasoning in the Although the separation of the Boolean and theory reasoning in the \dpll approach allows the solver to be modular, it can be also \dpll approach allows the solver to be modular, it can be also restricting in some cases. In particular, the \dpllt based solvers can restricting in some cases. In particular, \dpllt based solvers can not not directly reason about values of first-order variables, but have to directly reason about values of first-order variables, but have to rely on the $T$-solver guiding the search over Boolean rely on the $T$-solver guiding the search over Boolean valuations. While there are some techniques like \emph{splitting on valuations. While there are some techniques like \emph{splitting on demand}~\cite{BNOT06} , which allow the $T$-solver to add new atoms demand}~\cite{BNOT06} , which allow the $T$-solver to add new atoms Loading Loading @@ -472,19 +476,19 @@ and uninterpreted functions~\cite{McM11}. The \emph{theory of fixed sized bit-vectors (\BV)} is a multi-sorted The \emph{theory of fixed sized bit-vectors (\BV)} is a multi-sorted first-order theory with infinitely many sorts $\sort{n}$ corresponding first-order theory with infinitely many sorts $\sort{n}$ corresponding to bit-vectors of length $n$. The only predicate symbols in the \BV to bit-vectors of length $n$. The only predicate symbols in the \BV theory are $=$, $\leq_u$, and $\leq_s$, representing equality, theory are $=$, $\leq_u$, and $\leq_s$, interpretead as equality, unsigned inequality of binary-encoded natural numbers, and signed unsigned inequality of binary-encoded natural numbers, and signed inequality of integers in $2$'s complement representation, inequality of integers in $2$'s complement representation, respectively. Function symbols in the theory are respectively. Function symbols in the theory are $+, \times, \div, \&, \mid, \oplus, \ll, \gg, \cdot, \extract{n}{p}$, $+, \times, \div, \&, \mid, \oplus, \ll, \gg, \cdot, \extract{n}{p}$, representing addition, multiplication, unsigned division, bit-wise interpreted as addition, multiplication, unsigned division, bit-wise and, bit-wise or, bit-wise exclusive or, left-shift, right-shift, and, bit-wise or, bit-wise exclusive or, left-shift, right-shift, concatenation, and extraction of $n$ bits starting from the position concatenation, and extraction of $n$ bits starting from the position $p$, respectively. For detailed description of the \BV theory syntax $p$, respectively. For the detailed description of the \BV theory and semantics, see for example Hadarean's PhD syntax and semantics, see for example Hadarean's PhD thesis~\cite{Had15}. This section focuses on the problem of thesis~\cite{Had15}. This section focuses on the problem of satisfiability of the quantifier-free fragment of the \BV theory, satisfiability of the quantifier-free fragment of the \BV theory, denoted \QFBV. %The the full \BV logic is treated in the next section. denoted \QFBV. The the full \BV logic is treated in the next section. Current state-of-the-art \smt solvers for the \QFBV logic rely on Current state-of-the-art \smt solvers for the \QFBV logic rely on rewriting techniques, used to simplify the formula during the rewriting techniques, used to simplify the formula during the Loading @@ -505,14 +509,16 @@ possibly faster but incomplete sub-solvers for equality and inequality reasoning and if the sub-solvers are not sufficient for deciding the reasoning and if the sub-solvers are not sufficient for deciding the satisfiability of the formula, theory lemmas and propagated literals satisfiability of the formula, theory lemmas and propagated literals generated by the sub-solvers are added to the formula and a lazy generated by the sub-solvers are added to the formula and a lazy \dpllt bit-blasting solver is employed~\cite{HBJBT14}. \dpllt bit-blasting solver is employed~\cite{HBJBT14}. \marginpar{TODO: Nepřidat odstavec o propagating-complete \cnf encodings?} \subsection{Word-level techinques} \subsection{Word-level techinques} Although bit-blasting is highly efficient for most of practical Although bit-blasting is highly efficient for most of practical problems, it can exhaust memory if the input formula contains complex problems, it can exhaust memory of the solver if the input formula arithmetic or variables with large bit-width. Several techniques that contains complex arithmetic or variables with large bit-width. Several which avoid the bit-blasting have been proposed to alleviate this techniques that avoid the bit-blasting have been proposed to alleviate problem. this problem. Some useful fragments of the bit-vector theory can be solved by Some useful fragments of the bit-vector theory can be solved by specialized algorithms for deciding satisfiability. For example, specialized algorithms for deciding satisfiability. For example, Loading @@ -525,90 +531,93 @@ used for deciding satisfiability of bit-vector formulas that contain only arithmetic and no bit-wise operations~\cite{BM05}. only arithmetic and no bit-wise operations~\cite{BM05}. Recently, an instance of the model-constructing satisfiability Recently, an instance of the model-constructing satisfiability calculus introduced in subsection \ref{ssec:natDomainSat} was calculus, which was introduced in subsection \ref{ssec:natDomainSat}, implemented by Zeljić et al. in the solver \mcbv~\cite{ZWR16}. They was implemented by Zeljić et al. in the solver have extended the \mcsat framework by the ability to perform partial \mcbv~\cite{ZWR16}. Zeljić et al. have extended the \mcsat framework assignments and proposed heuristics for generalizing explanations of by the ability to perform partial assignments and have proposed bit-vector conflicts. For example, the solver \mcsat can perform the heuristics for generalizing explanations of bit-vector conflicts. For partial assignment $\extract{2}{0}(x) \mapsto 10$, denoting that the example, the solver \mcsat can perform the partial assignment two least significant bits of $x$ are $10$. To be able to efficiently $\extract{2}{0}(x) \mapsto 10$, denoting that the two least use such partial assignments, the solver \mcbv mantains an significant bits of $x$ are $10$. To be able to efficiently use such over-approximation of the set of models that are compatible with the partial assignments, the solver \mcbv mantains two over-approximations current partial assignment using bit-patterns and arithmetic of the set of models that are compatible with the current partial intervals. Bit-patterns are sequences of $0$, $1$ and $u$, which assignment -- using \emph{bit-patterns} and \emph{arithmetic represent undefined bits, and constrain the values of particular bits intervals}. Bit-patterns are sequences of $0$, $1$ and $u$, which in the assignment. Arithmetic intervals are pairs of bit-vector values represents undefined bit, and constrain the values of particular bits representing lower and upper bounds and constrain integral values of in the assignment. On the other hand, arithmetic intervals are pairs bit-vectors. Both bit-patterns and arithmetic intervals can be ordered of bit-vector values representing lower and upper bounds and constrain to form a lattice, in which the solver performs a search if a conflict integral values of bit-vectors. Both bit-patterns and arithmetic is detected in order to generalize from the conflict. intervals can be ordered to form a lattice in which the solver performs a search for a more general explanation if a conflict is detected. Another word-level approach for the full bit-vector theory is Another word-level approach for the full bit-vector theory is \emph{stochastic local search} (\sls), proposed for solving \emph{stochastic local search} (\sls), proposed for solving bit-vectors by Frohlich et al.~\cite{FBWH15} and subsequently improved bit-vectors by Frohlich et al.~\cite{FBWH15} and subsequently improved by Niemetz et al.~\cite{NPBF15,NPB16}. In the \sls approach, the by Niemetz et al.~\cite{NPBF15,NPB16}. In the \sls approach, the solver randomly chooses initial values of bit-vector variables and solver randomly chooses initial values of bit-vector variables and tries to find a satisfying assignment by performing random bit flips tries to find a satisfying assignment by performing random bit flips, guided by the scoring function based on the satisfaction of which are guided by the scoring function based on the satisfaction of subformulas of the input formula. Niemetz et al. have improved the subformulas of the input formula. Niemetz et al. have improved the \sls technique with the path-based propagation, which, instead of \sls technique with the \emph{path-based propagation}, which, instead relying solely on random modifications guided by the scoring function, of relying solely on random bit modifications guided by the scoring allows computing values of bit-vector variables that are necessary to function, allows computing values of bit-vector variables that are satisfy randomly selected subformulas. The \sls based solver has been necessary to satisfy randomly selected subformulas. The \sls based shown to be able to decide several formulas not decided by solver has been shown to be able to decide several formulas not bit-blasting solvers. To combine benefit of bit-blasting and \sls decided by bit-blasting solvers. To combine benefit of bit-blasting approaches, the latest version of Boolector, which have won the 2016 and \sls approaches, the latest version of Boolector, which have won SMT competition in category of unquantified bit-vectors, uses a the 2016 SMT competition in category of unquantified bit-vectors, uses protfolio approach which consists in first running a \sls based solver a protfolio approach, which consists in first running a \sls based for a short period of time and then running a bit-blasting solver if solver for a short period of time and then running a bit-blasting the \sls solver fails to solve the formula~\cite{BoolectorComp}. solver if the \sls solver fails to solve the formula~\cite{BoolectorComp}. \subsection{Preprocessing} \subsection{Preprocessing} For both bit-blasting and word-level approaches, a preprocessing of For both bit-blasting and word-level approaches, a preprocessing of the input formula is necessary for the efficiency of the the input formula is crucial for the efficiency of the solver. Therefore, modern SMT solvers employ hundreds of rewrite rules solver. Therefore, modern \smt solvers employ hundreds of rewrite in order to simplify the input formula. Franzén describes several rules in order to simplify the input formula~\cite{Fra10}. Franzén simplifications implemented in the solver MathSAT5: canonization, describes several classes of simplification methods implemented in the unconstrained variables propagation, packet splitting, and disjunctive solver MathSAT5: canonization, unconstrained variables propagation, partitioning~\cite{Fra10}. packet splitting, and disjunctive partitioning~\cite{Fra10}. The aim of the \emph{canonization} is converting subterms of the The aim of the \emph{canonization} is converting subterms of the formula to their canonical forms. For example $x + x = 0$ can be formula to their canonical forms. For example, the term $x - x$ can be rewritten to $2*x = 0$. Although efficient algorithms exist for rewritten to $0$. Although efficient algorithms exist for several several fragments of the \BV theory, like the core theory of fragments of the \BV theory, like the core theory of bit-vectors, the bit-vectors, the problem of computing the canonical form for the full problem of computing the canonical form for the full \BV theory is \BV theory is NP-hard~\cite{BDL98}. Therefore, SMT solvers usually do NP-hard~\cite{BDL98}. Therefore, SMT solvers usually do not compute not compute the canonical form, but rely on multiple heuristically the canonical form, but rely on multiple heuristically chosen rewrite chosen rewrite rules that produce the canonical form for simple rules that produce the canonical form for simple terms, but are not terms, but are not required to produce the canonical form in general. required to produce the canonical form of all terms. From the remaining simplification techniques presented by Franzén, we From the remaining simplification techniques presented by Franzén, we describe propagation of unconstrained variables in more detail, as it focus on propagation of unconstrained variables, as it is highly is highly relevant for software verification. relevant for software verification. A variable $x$ in the given formula is called \emph{unconstrained} if A variable $x$ in a formula is called \emph{unconstrained} if it it occurs only once in the formula. Brummayer~\cite{Brum10} and occurs only once in the formula. Brummayer~\cite{Brum10} and Bruttomesso~\cite{Bru08} independently observed that if an Bruttomesso~\cite{Bru08} have independently observed that if an unconstrained variable occurs as an argument to a function symbol, unconstrained variable occurs as an argument to a function symbol, which can be \emph{inverted} with respect to this argument, replacing which can be \emph{inverted} with respect to this argument, replacing this function with a fresh variable yields an equi-satisfiable this function with a fresh variable yields an equisatisfiable formula. Moreover, unconstrained variables often occur in the formula. Moreover, unconstrained variables often occur in the industrial benchmarks and especially in benchmarks comming from a industrial benchmarks and especially in benchmarks produced during a verification of programs in a single static assignment form, such as verification of programs in a single static assignment form, such as LLVM bit-code. LLVM bit-code. With a slight abuse of notation, which identifies interpreted function With a slight abuse of notation which identifies interpreted function symbols with their intended interpretations, a simple definition of symbols with their intended interpretations, a simple definition of invertibility for binary function symbols, which can be easily invertibility for binary function symbols, which can be easily generalized, is as follows. A binary function $f$ can be inverted with generalized, is as follows. A binary function $f$ can be inverted with respect to its first argument, if for every two values $a_i, a_o$, respect to its first argument if for every two values $a_i, a_o$ there there exists a value $b$ such that $f(b,a_i) = a_o$. For example, as exists a value $b$ such that $f(b,a_i) = a_o$. For example, as the the addition is invertible with respect to its first argument, the addition is invertible with respect to its first argument, the formula formula $\varphi \equiv x + (y * y - 30 * z * y) = 0$ can be $\varphi \equiv x + (y * y - 30 * z * y) = 0$ can be transformed to an transformed to an equi-satisfiable formula $v = 0$, where $v$ is a equisatisfiable formula $v = 0$, where $v$ is a fresh variable, fresh variable, because $x$ is unconstrained in $\varphi$. Note that in because $x$ is unconstrained in $\varphi$. Note that in contrast to contrast with the theory of integers, the function $f(x) = k \times x$ the theory of integers, the function $f(x) = k \times x$ is invertible is invertible precisely if $k$ is odd. in bit-vectors precisely if $k$ is odd. \section{Satisfiability of quantified bit-vector formulas} \section{Satisfiability of quantified bit-vector formulas} Loading Loading @@ -717,11 +726,11 @@ computational complexity perspective, as it is the first problem that was shown to be \NP-complete. The complexity of the satisfiability was shown to be \NP-complete. The complexity of the satisfiability problems for various variants of bit-vector theory have been recently problems for various variants of bit-vector theory have been recently studied and was shown to range from \NP-complete to studied and was shown to range from \NP-complete to 2-NEXPTIME-complete~\cite{KFB16}. In particular, interesting variants \NNEXPTIME-complete~\cite{KFB16}. In particular, interesting variants of the bit-vector satisfiability problem differ in allowing of the bit-vector satisfiability problem differ in allowing uninterpreted functions, allowing quantifiers, and in encoding of the uninterpreted functions, allowing quantifiers, and in encoding of the bit-widths (unary vs. binary). In the following, we follow the bit-widths (unary vs. binary). In the following, we follow the notation from of Kováznai et al~\cite{KFB16} -- decision problems for notation of Kováznai et al~\cite{KFB16} -- decision problems for quantifer-free fragments are dentoted by the prefix QF\_, the quantifer-free fragments are dentoted by the prefix QF\_, the combination with the theory of uninterpreted functions is denoted by combination with the theory of uninterpreted functions is denoted by the prefix UF, and the problems with unary and binary encoded the prefix UF, and the problems with unary and binary encoded Loading @@ -733,8 +742,8 @@ uninterpreted functions and binary encoded bit-withs. polynomial time reduction from QF\_BV1 to \sat, showing that QF\_BV1 polynomial time reduction from QF\_BV1 to \sat, showing that QF\_BV1 is in NP. A similar reduction from BV1 to \qbf can show that BV is in is in NP. A similar reduction from BV1 to \qbf can show that BV is in \PSPACE. For lower bounds, \NP-hardness of QF\_BV1 follows from a \PSPACE. For lower bounds, \NP-hardness of QF\_BV1 follows from a simple reduction from \sat, which encodes each propositional variable simple reduction from \sat, by encoding each propositional variable as as a bit-vector of bit-width 1, and similarly, BV1 can be shown to be a bit-vector of bit-width 1, and similarly, BV1 can be shown to be \PSPACE-hard. \PSPACE-hard. In quantifier-free formulas, uninterpreted functions can be eliminated In quantifier-free formulas, uninterpreted functions can be eliminated Loading @@ -742,26 +751,27 @@ by the Ackermann expansion with only quadratic increase in the size of the formula. Therefore, QF\_UFBV1 is in \NP. As the set of QF\_UFBV1 the formula. Therefore, QF\_UFBV1 is in \NP. As the set of QF\_UFBV1 formulas contains all QF\_BV1 formulas, QF\_UFBV1 is also NP-hard. The formulas contains all QF\_BV1 formulas, QF\_UFBV1 is also NP-hard. The case of UFBV1 is more involved. Wintersteiger et al. have shown that case of UFBV1 is more involved. Wintersteiger et al. have shown that UFBV1 is \NEXPTIME-complete by using \emph{effectively propositonal} UFBV1 is \NEXPTIME-complete by using \emph{effectively propositional} fragment of the first-order logic, which is well known to be fragment of the first-order logic, which is well known to be \NEXPTIME-complete~\cite{WHD13}. The class of effectively \NEXPTIME-complete~\cite{WHD13}. The class of effectively propositional formulas, also known as the Bernays--Schönfinkel class, \marginpar{The class of effectively propositional formulas is also known the Bernays--Schönfinkel class.} propositional formulas consists only of formulas in form $\exists^*\forall^*\varphi$, where consists only of formulas in form $\exists^*\forall^*\varphi$, where $\varphi$ does not contain any quantifiers or function symbols. $\varphi$ does not contain any quantifiers or function symbols. \paragraph{Binary encoded bit-widths} \paragraph{Binary encoded bit-widths} With binary encoded bit-widths, the bit-blasting may yield For formulas with binary encoded bit-widths, the bit-blasting may propositional formula that is exponentially larger than the original yield propositional formula that is exponentially larger than the input bit-vector formula, as the number of bits may be exponential original input bit-vector formula, as the number of bits may be with respect to the size of the formula. Therefore, bit-blasting shows exponential with respect to the size of the formula. Therefore, that QF\_BV2 is in \NEXPTIME. On the other hand, Kovásznai et al. have bit-blasting shows that QF\_BV2 is in \NEXPTIME. On the other hand, presented a polynomial time reduction of satisfiability of Kovásznai et al. have presented a polynomial time reduction of \emph{dependent quantified boolean formulas} (\dqbf) to QF\_BV2. Since satisfiability of \emph{dependent quantified boolean formulas} (\dqbf) \dqbf is well known to be \NEXPTIME-complete, this reduction shows to QF\_BV2. Since \dqbf is well known to be \NEXPTIME-complete, this \NEXPTIME-hardness of QF\_BV2~\cite{KFB12}. In contrast, the precise reduction shows \NEXPTIME-hardness of QF\_BV2~\cite{KFB12}. In complexity after adding quantifiers is not known. BV2 is known to be contrast, the precise complexity after adding quantifiers is not in \EXPSPACE and hence it contains all formulas from QF\_BV2, it is known. BV2 is known to be in \EXPSPACE and because it contains all also \NEXPTIME-hard. formulas from QF\_BV2, it is also \NEXPTIME-hard. Similarly to the case with the unary encoding, the complexity of the Similarly to the case with the unary encoding, the complexity of the quantifier-fre fragment stays the same when the uninterpreted quantifier-fre fragment stays the same when the uninterpreted Loading
Includes/config.tex +3 −1 Original line number Original line Diff line number Diff line \theoremstyle{definition} \theoremstyle{definition} \newtheorem{exmp}{Example}[section] \newtheorem{exmp}{Example}[section] %\newcommand{\quotegraffito}[2]{\graffito{#1\\--~\emph{#2}}} No newline at end of file
Includes/packages.tex +2 −1 Original line number Original line Diff line number Diff line \usepackage{amssymb} \usepackage{amssymb} \usepackage{amsthm} \usepackage{amsthm} \usepackage[strict]{changepage} \usepackage[strict]{changepage} \usepackage{cleveref}
