Strejda comments

check the root of the resulting \bdd. If the resulting \bdd has the

root 0, the formula is unsatisfiable, and it is satisfiable

otherwise. However, in order to keep the size of the \bdd small, it is

necessary to existentially quantify the variables as soon as

possible. This technique is known as \emph{early

necessary to existentially quantify the variables during the

computation. This technique is known as \emph{early

  quantification}~\cite{HKB96}. A simplified symbolic \sat algorithm

can be found for example in the survey of \sat solving by Darwiche and

Pipatsriswat~\cite{DP09}.

Look-ahead based algorithm, in contrast with the \cdcl, are employing

Look-ahead based algorithm, in contrast to the \cdcl, are employing

expensive heuristics to guide the \dpll search to a satisfying

assignment instead of using cheap heuristics and learning from the

conflicts~\cite{HD04}. Therefore, while \cdcl solvers are efficient on

\section{Satisfiability modulo theories}

Similarly to \sat, the \emph{satisfiability modulo theories problem}

(\smt) is for a given a \cnf formula $\varphi$ in a fixed theory $\mathcal{T}$

decide whether it is $\mathcal{T}$-satisfiable. Depending on the the theory $\mathcal{T}$,

the complexity of the \smt problem ranges from polynomial to

(\smt) is to decide for a given a \cnf formula $\varphi$ in a fixed

theory $\mathcal{T}$ whether it is

$\mathcal{T}$-satisfiable. Depending on the theory $\mathcal{T}$, the

complexity of the \smt problem ranges from polynomial to

undecidable. However, as the formula $\varphi$ can contain Boolean

connectives, the \smt problem is at least \NP-hard for non-trivial

theories.

\subsection{DPLL modulo theories}

Most of the \smt approaches can be classified as \emph{eager} or

\emph{lazy}~\cite{BSST09}. The eager \smt approach consists in

directly translating the input formula to an equivalent propositional

formula and using an off-the-shelf \sat solver to decide

satisfiability of this formula. The eager \smt approach is implemented

for example in the \smt solver \uclid, which supports the combination

of the theory of uninterpreted functions and the theory of Presburger

arithmetic with ordering~\cite{LS04}.

\emph{lazy}~\cite{BSST09}. In the eager \smt approach, input formula

is directly translated to an equivalent propositional formula and an

off-the-shelf \sat solver is used to decide satisfiability of this

formula. The eager \smt approach is implemented for example in the

\smt solver \uclid, which supports the combination of the theory of

uninterpreted functions and linear integer arithmetic~\cite{LS04}.

On the other hand, the lazy \smt approach uses a \sat solver to reason

about the Boolean structure of the formula and a specialized

$\mathcal{T}$-satisfiable, the corresponding theory lemma $\neg M^p$

is added to the formula and the procedure is repeated. This variant of

the lazy \smt approach is called offline, because it uses the \sat

solver as a black box and employs the \smt solver only to check

satisfiability of a complete Boolean assignment.

solver as a black box and employs the $\mathcal{T}$-solver only to

check satisfiability of a complete Boolean assignment.

\paragraph{Online approach}

In contrast to the offline approach, the \sat and \smt solvers can

majority of modern \smt solvers, including solvers

Barcelogic~\cite{Barcelogic}, CVC4~\cite{CVC4},

MathSAT~\cite{MathSAT}, OpenSMT~\cite{OpenSMT},

Simplify~\cite{Simplify}, Yices~\cite{Yices}, or

Z3~\cite{Z3}.

Simplify~\cite{Simplify}, Yices~\cite{Yices}, and Z3~\cite{Z3}.

\subsection{Natural domain \smt}

\label{ssec:natDomainSat}

Although the separation of the Boolean and theory reasoning in the

\dpll approach allows the solver to be modular, it can be also

restricting in some cases. In particular, \dpllt based solvers can not

Although the separation of the propositional and theory reasoning in

the \dpllt approach allows the solver to be modular, it can be also

restricting in some cases. In particular, \dpllt-based solvers can not

directly reason about values of first-order variables, but have to

rely on the $\mathcal{T}$-solver guiding the search over Boolean

valuations. While there are some techniques like \emph{splitting on

can assign the value of theory variables and it can generate new

literals not occurring in the original formula. De Moura et al. have

implemented the \mcsat solver supporting linear real arithmetic and

uninterpreted function, which uses model-driven Fourier-Motzkin

uninterpreted functions, which uses model-driven Fourier-Motzkin

elimination~\cite{Dan63} to learn new predicates from arithmetic

conflicts and model-driven Ackermannization~\cite{MB08, Ack54} to

learn new predicates from conflicts involving uninterpreted

  interpolants}~\cite{McM06, UltimateInterpol13, UltimateCores14}.

In the context of \sat and \smt solving, an unsatisfiable core is a

subset of clauses of a unsatisfiable formula that is already

subset of clauses of an unsatisfiable formula that is already

unsatisfiable~\cite{CGS07}. Three main approaches are used for the

unsatisfiable core computation in \smt~\cite{BSST09}. In the first, if

a solver can compute resolution proofs for unsatisfiable formulas, the

theory are $=$, $\leq_u$, and $\leq_s$, interpreted as equality,

unsigned inequality of binary-encoded natural numbers, and signed

inequality of integers in $2$'s complement representation,

respectively. Function symbols in the theory are

$+, \times, \div, \&, \mid, \oplus, \ll, \gg, \cdot, \extract{n}{p}$,

interpreted as addition, multiplication, unsigned division, bit-wise

and, bit-wise or, bit-wise exclusive or, left-shift, right-shift,

concatenation, and extraction of $n$ bits starting from the position

$p$, respectively. For the detailed description of the \BV theory

syntax and semantics, see for example Hadarean's PhD

thesis~\cite{Had15}. This section focuses on the problem of

satisfiability of the quantifier-free fragment of the \BV theory,

denoted \QFBV. The the full \BV logic is treated in the next section.

respectively. Function symbols in the theory are $+$, $\times$,

$\div$, $\&$, $\mid$, $\oplus$, $\ll$, $\gg$, $\cdot$,

$\extract{n}{p}$, interpreted as addition, multiplication, unsigned

division, bit-wise and, bit-wise or, bit-wise exclusive or,

left-shift, right-shift, concatenation, and extraction of $n$ bits

starting from the position $p$, respectively. For the detailed

description of the \BV theory syntax and semantics, see for example

Hadarean's PhD thesis~\cite{Had15}. This section focuses on the

problem of satisfiability of the quantifier-free fragment of the \BV

theory, denoted \QFBV. The the full \BV logic is treated in the next

section.

Current state-of-the-art \smt solvers for the \QFBV logic rely on

rewriting techniques, used to simplify the formula during the

rewriting techniques used to simplify the formula during the

preprocessing, and eager or lazy translation of the bit-vector formula

to the equivalent propositional formula, which is subsequently solved

by a \sat solver. The transformation of a bit-vector formula to the

required. For example, solvers Z3 and Yices apply bit-blasting to all

operations except for the equality, which is handled by a specialized

solver, and dynamically add axioms of the array

theory~\cite{Z3,Yices}, and Boolector applies bit-blasting to the

theory~\cite{Z3,Yices}. Boolector applies bit-blasting to the

bit-vector operations and lazily instantiates definitions of macros

and array axioms~\cite{Boolector}. Furthermore, CVC4 uses lazy and

layered solver, which tries to decide the satisfiability using

Although bit-blasting is highly efficient for most of practical

problems, it can exhaust memory of the solver if the input formula

contains complex arithmetic or variables with large bit-width. Several

techniques that avoid the bit-blasting have been proposed to alleviate

this problem.

techniques that avoid the bit-blasting and work directly on the level

of individual bit-vectors (\emph{word-level}) have been proposed to

alleviate this problem.

Some useful fragments of the bit-vector theory can be solved by

specialized algorithms for deciding satisfiability. For example,

example, the solver \mcsat can perform the partial assignment

$\extract{2}{0}(x) \mapsto 10$, denoting that the two least

significant bits of $x$ are $10$. To be able to efficiently use such

partial assignments, the solver \mcbv maintains two over-approximations

of the set of models that are compatible with the current partial

assignment -- using \emph{bit-patterns} and \emph{arithmetic

  intervals}. Bit-patterns are sequences of $0$, $1$ and $u$, which

represents undefined bit, and constrain the values of particular bits

in the assignment. On the other hand, arithmetic intervals are pairs

of bit-vector values representing lower and upper bounds and constrain

integral values of bit-vectors. Both bit-patterns and arithmetic

intervals can be ordered to form a lattice in which the solver

performs a search for a more general explanation if a conflict is

detected.

partial assignments, the solver \mcbv maintains two

over-approximations of the set of models that are compatible with the

current partial assignment -- using \emph{bit-patterns} and

\emph{arithmetic intervals}. Bit-patterns are sequences of $0$, $1$

and $u$ (represents undefined bit), which constrain the values of

particular bits in the assignment. On the other hand, arithmetic

intervals are pairs of bit-vector values representing lower and upper

bounds and constrain integral values of bit-vectors. Both bit-patterns

and arithmetic intervals can be ordered to form a lattice in which the

solver performs a search for a more general explanation if a conflict

is detected.

Another word-level approach for the full bit-vector theory is

\emph{stochastic local search} (\sls), proposed for solving

solver has been shown to be able to decide several formulas not

decided by bit-blasting solvers. To combine benefit of bit-blasting

and \sls approaches, the latest version of Boolector, which have won

the 2016 SMT competition in category of quantifier-free bit-vectors,

uses a portfolio approach, which consists in first running a \sls

based solver for a short period of time and then running a

bit-blasting solver if the \sls solver fails to solve the

the 2016 SMT competition in the category of quantifier-free

bit-vectors, uses a portfolio approach, which consists in first

running a \sls based solver for a short period of time and then

running a bit-blasting solver if the \sls solver fails to solve the

formula~\cite{BoolectorComp}.

\subsection{Preprocessing}

A variable $x$ in a formula is called \emph{unconstrained} if it

occurs only once in the formula. Brummayer~\cite{Brum10} and

Bruttomesso~\cite{Bru08} have independently observed that if an

unconstrained variable occurs as an argument to a function symbol,

which can be \emph{inverted} with respect to this argument, replacing

this function with a fresh variable yields an equisatisfiable

unconstrained variable occurs as an argument to a function symbol that

can be \emph{inverted} with respect to this argument, replacing this

function with a fresh variable yields an equisatisfiable

formula. Moreover, unconstrained variables often occur in the

industrial benchmarks and especially in benchmarks produced during a

verification of programs in a single static assignment form, such as

Although the bit-vector theory admits quantifier elimination by

expanding all quantifiers with all possible bit-vector values of the

corresponding bit-width, this is rarely practical approach. Instead,

the formula is usually converted to a equisatisfiable formula by

corresponding bit-width, this is rarely a practical approach. Instead,

the formula is usually converted to an equisatisfiable formula by

Skolemization and then instances of the universally quantified

formulas are lazily added to the formula until a model is found or the

formula is found to be unsatisfiable by a \QFBV solver. There are

multiple ways to choose quantifier instances that are sufficient to

decide the satisfiability of the formula. For the bit-vector theory,

the most widely used approach is the \emph{model-based quantifier

  instantiation} approach~\cite{GM09}, supported by Z3, CVC4, and

Yices, combined by heuristics as E-matching or symbolic quantifier

instantiation~\cite{WHD13,Dut15}. Additionally, for dealing with

quantifiers, CVC4 supports solving quantified formulas by

  instantiation}~\cite{GM09}, implemented in Z3, CVC4, and Yices,

combined by heuristics as \emph{E-matching} or \emph{symbolic

  quantifier instantiation}~\cite{WHD13,Dut15}. Additionally, for

dealing with quantifiers, CVC4 supports solving quantified formulas by

\emph{counter-example guided quantifier instantiation}~\cite{RDKT15}.

% and \emph{finite model finding}~\cite{RTG13}.

However, we describe only the model-based quantifier instantiation in

detail, as the counter-example guided quantifier considers all

We describe only the model-based quantifier instantiation in detail,

as the counter-example guided quantifier instantiation considers all

functions as uninterpreted during the conflict search, and therefore

its performance on bit-vector formulas is limited.

therefore the entire formula is satisfiable and $M$ is its model. If

$\neg \widehat{\psi}$ is satisfiable, we get values $v_1, \dots, v_n$

such that $\neg\widehat{\psi}[v_1, \dots, v_n]$ holds.  To rule out

$M$ as a model, the instance $\psi[v_1, \dots, v_n]$ of the quantified

formula is added to the quantifier-free part, i.e.~the formula

$\varphi$ is modified to

$M$ as a model as the formula $\varphi$, the instance

$\psi[v_1, \dots, v_n]$ of the quantified formula is added to the

quantifier-free part, i.e.~the formula $\varphi$ is modified to

\[

   \varphi' ~\equiv~ \varphi \wedge \psi[v_1, \dots, v_n],

\]

combination with the theory of uninterpreted functions is denoted by

the prefix UF, and the problems with unary and binary encoded

bit-widths are denoted by suffixes 1 and 2, respectively. For example,

QF\_UFBV2 is the decision problem for quantifier free formulas with

QF\_UFBV2 is the decision problem for quantifier-free formulas with

uninterpreted functions and binary encoded bit-widths. The completeness

results for these classes are summarized in table

\ref{tbl:complexity}, and briefly explained in the rest of this section.

is in NP. A similar reduction from BV1 to \qbf can show that BV is in

\PSPACE. For lower bounds, \NP-hardness of QF\_BV1 follows from a

simple reduction from \sat, by encoding each propositional variable as

a bit-vector of bit-width 1, and similarly, BV1 can be shown to be

\PSPACE-hard.

a bit-vector of bit-width 1. Similarly, BV1 can be shown to be

\PSPACE-hard by considering every bit-vector as a quantified variable

of bit-width 1.

In quantifier-free formulas, uninterpreted functions can be eliminated

by the Ackermann expansion with only quadratic increase in the size of

\NEXPTIME-complete~\cite{WHD13}. The class of effectively

\marginpar{The class of effectively propositional formulas is also

  known as the Bernays--Schönfinkel class.} propositional formulas

consists only of formulas in form $\exists^*\forall^*\varphi$, where

$\varphi$ does not contain any quantifiers or function symbols.

consists only of formulas in the form $\exists^*\forall^*\varphi$,

where $\varphi$ does not contain any quantifiers or function symbols.

\paragraph{Binary encoded bit-widths}

For formulas with binary encoded bit-widths, the bit-blasting may

quantifier-free fragment stays the same when the uninterpreted

functions are added -- QF\_UFBV2 can be shown to be in \NEXPTIME by

the Ackermann reduction and \NEXPTIME-hard by the simple reduction

from QF\_UFBV2. The complexity of the problem after adding quantifiers

from QF\_BV2. The complexity of the problem after adding quantifiers

and uninterpreted functions was investigated by Kovásznai et

al.~\cite{KFB12}. Reencoding of all bit-widths to unary shows that

UFBV2 is in \NNEXPTIME. For the lower bound, Kovásznai et al. present

\section{Objectives and Expected Results}

\subsection{Symbolic solver for quantified bit-vectors}

I will continue developing the implemented symbolic \smt solver Q3B,

which is aimed at solving quantified bit-vector formulas. In

I plan to continue developing the implemented symbolic \smt solver

Q3B, which is aimed at solving quantified bit-vector formulas. In

particular, I plan to add support for uninterpreted functions and the

theory of arrays, which is highly desirable for applications in the

program verification. I also want to implement extraction of an

unsatisfiable core from the intermediate \bdds that were produced

during the computation of the solver.

during the computation.

Additionally, currently implemented approximations are very simple and

could benefit from better refinement in the case that the current

as zero-suppressed decision diagrams introduced by

Minato~\cite{Min93}, binary moment diagrams introduced by Bryant and

Chen~\cite{BC95}, and algebraic decision diagrams introduced by Bahar

et al.~\cite{BFGHMPS} and experimentally evaluate their effect on the

performance of the symbolic \smt solver for the quantified

et al.~\cite{BFGHMPS}. I plan to experimentally evaluate their effect

on the performance of the symbolic \smt solver for the quantified

bit-vectors.

\subsection{Hybrid approach to quantified bit-vectors}

Although results of the symbolic \smt solver for quantified

bit-vectors look promising, standard \smt solvers still perform

better on queries containing multiplication and complex

bit-vectors look promising, standard \smt solvers still perform better

on queries containing multiplication and complex

arithmetic. Therefore, I plan to develop a hybrid approach to \smt

solving of quantified bit-vector formulas that combines strengths of

both of these approaches. For example, parts of the quantified

formula that do not contain multiplication can be converted to the

\bdd, which can be used to guide the model search in the model-based

quantifier instantiation. One possible way of achieving this is adding

support for \bdds to the solver \mcbv developed by Zeljić et al. The

\bdd representation can be added to the currently used

over-approximations by bit-patterns and arithmetic

intervals. Moreover, a tighter cooperation is possible -- if a \mcsat

solver decides a value, it can be used to partially instantiate a

quantified part of the formula, for which the \bdd will be computed.

both of these approaches. For example, parts of the quantified formula

that do not contain multiplication can be converted to the \bdd, which

can be used to guide the model search in the model-based quantifier

instantiation of the other parts of the formula. One possible way of

achieving this is adding support for \bdds to the solver \mcbv

developed by Zeljić et al. The \bdd representation can be added to the

currently used over-approximations by bit-patterns and arithmetic

intervals. Moreover, a tighter cooperation is possible -- if a value

of a variable is decided by during the \mcbv computation, it can be

used to partially instantiate a quantified part of the formula, for

which the \bdd will be computed.

As the part of my PhD study, an implementation of a solver using the

hybrid approach and its evaluation on the representative set of

quantified formulas. However, in the quantified setting, constraints

among variables can be introduced also by the order in which the

variables are quantified. We have formulated a hypothesis that

describes the necessary condition for the quantified variable to be

describes a sufficient condition for the quantified variable to be

considered as unconstrained. Based on this hypothesis and a partial

proof of its validity, we have implemented an proof-of-concept

proof of its validity, we have implemented a proof-of-concept

simplification procedure that can simplify quantified formulas that

contain unconstrained variables. Although the initial experimental

results, conducted on the formulas from the semi-symbolic model

Moreover, the simplifications of formulas with unconstrained variables

can be further extended. For example, if a formula contains a term

$k \times x$ with an odd values of $k$ and the variable $x$ is

unconstrained, this term can be replaced by a simpler term. In

particular, if $i$ is the largest number for which $2^i$ divides the

constant $k$ and the unconstrained variable $x$ has bit-width $n$, the

term $k \times x$ can be rewritten to $extract_0^{n-i}(x) \cdot

0^i$. This approach can be also extended to the multiplication of two

variables from which one is unconstrained. I plan to investigate

further extensions to the terms containing division and remainder

operations and to publish a paper concerning propagation of

unconstrained variables in quantified formulas and extensions of

unconstrained variable simplification to multiplication and

division. I will also experimentally evaluate the effect of such

$k \times x$ in which the variable $x$ is unconstrained, this term can

be replaced by a simpler term regargless the parity of the value

$k$. In particular, if $i$ is the largest number for which $2^i$

divides the constant $k$ and the unconstrained variable $x$ has

bit-width $n$, the term $k \times x$ can be rewritten to

$extract_0^{n-i}(x) \cdot 0^i$.. This approach can be also extended to

the multiplication of two variables from which one is unconstrained. I

plan to investigate further extensions to the terms containing

division and remainder operations and to publish a paper concerning

propagation of unconstrained variables in quantified formulas and

extensions of unconstrained variable simplification to multiplication

and division. I will also experimentally evaluate the effect of such

simplifications on our solver Q3B and on state-of the art solvers such

as Boolector, CVC4, and Z3.

\subsection{Complexity of BV2}

As was explained in section \ref{sec:complexity}, the precise

As was explained in Section \ref{sec:complexity}, the precise

complexity of quantified bit-vector formulas with binary-encoded

bit-widths and without uninterpreted functions is not known. It is

known to be in \EXPSPACE and to be \NEXPTIME-hard. However, a class

and \emph{polynomial number of alternations} with respect to log-space

reduction. This class is usually denoted as \AEXPTIMEp and is known to

be in between \NEXPTIME and \EXPSPACE~\cite{HKVV15, Luc16}. However,

whether any of the inclusions is proper is not known. The

\AEXPTIMEp-hardness of the BV2 can be shown by reducing the problem of

satisfiability of \emph{quantified second order boolean formulas},

which was recently proven to be \AEXPTIMEp-hard by Lück~\cite{Luc16}.

Expected result is a paper published at an international conference or

in a journal.

whether any of the inclusions is proper is not known.

\section{Progression Schedule}

The plan of my future study and research activities is following:

    %style=authoryear-comp, % Author 1999, 2010

    %bibstyle=authoryear,dashed=false, % dashed: substitute rep. author with ---

    sorting=nyt, % name, year, title

    maxbibnames=3, % default: 3, et al.

    maxbibnames=10, % default: 3, et al.

    %backref=true,%

    natbib=true % natbib compatibility mode (\citep and \citet still work)

}{biblatex}