\documentclass[11pt,twoside]{scrartcl}
%opening
\newcommand{\lecid}{15-414}
\newcommand{\leccourse}{Bug Catching: Automated Program Verification}
\newcommand{\lecdate}{} %e.g. {October 21, 2013}
\newcommand{\lecnum}{14}
\newcommand{\lectitle}{Satisfiability Modulo Theories}
\newcommand{\lecturer}{Matt Fredrikson}
\usepackage{listings}
\usepackage{lecnotes}
\usepackage{tikz}
\usepackage[irlabel]{bugcatch}
\usetikzlibrary{automata,shapes,positioning,matrix,shapes.callouts,decorations.text}
\tikzset{onslide/.code args={<#1>#2}{%
\only<#1>{\pgfkeysalso{#2}} % \pgfkeysalso doesn't change the path
}}
\tikzset{
invisible/.style={opacity=0,text opacity=0},
visible on/.style={alt={#1{}{invisible}}},
alt/.code args={<#1>#2#3}{%
\alt<#1>{\pgfkeysalso{#2}}{\pgfkeysalso{#3}} % \pgfkeysalso doesn't change the path
},
}
\definecolor{mygray}{rgb}{0.5,0.5,0.5}
\definecolor{backgray}{gray}{0.95}
\lstdefinestyle{whyml}{
belowcaptionskip=1\baselineskip,
breaklines=true,
language=[Objective]Caml,
showstringspaces=false,
numbers=left,
xleftmargin=2em,
framexleftmargin=1.5em,
numbersep=5pt,
numberstyle=\tiny\color{mygray},
basicstyle=\footnotesize\ttfamily,
keywordstyle=\color{blue},
commentstyle=\itshape\color{purple!40!black},
tabsize=2,
backgroundcolor=\color{backgray},
escapechar=\%,
morekeywords={predicate,invariant}
}
\newcommand\bigforall{\mbox{\Large $\mathsurround0pt\forall$}}
\newcommand\tequal{$T_{\textrm{\textsf E}}$\xspace}
\newcommand\tint{$T_{\mathbb{R}}$\xspace}
\newcommand\tintz{$T_{\mathbb{Z}}$\xspace}
\newcommand\myeq{\stackrel{\mathclap{\footnotesize\mbox{def}}}{=}}
\begin{document}
\lstset{style=whyml}
\maketitle
\thispagestyle{empty}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Introduction}
In the previous lecture we studied decision procedures for propositional logic. However, verification conditions that arise in practice often combine expression from different theories. Consider the following examples:
\begin{itemize}
\item A combination of linear arithmetic and uninterpreted functions:\\
\[
(x_2 \geq x_1) \wedge (x_1 - x_3 \geq 2) \wedge (x_3 \geq 0) \wedge
f (f(x_1) - f(x_2)) \neq f(x_3)
\]
\item A combination of linear arithmetic and arrays:\\
\[
x = v\{i \leftarrow e\}[j] \wedge y = v[j] \wedge x > e \wedge x > y
\]
\end{itemize}
%All the above theories can be expressed in some quantifier-free fragment of first order theory.
In this lecture, we will show how we can solve formulas that combine multiple theories by using the Nelson-Oppen combination method and the DPLL(T) framework.\footnote{This lecture is based on one written by Ruben Martins, who adapted content from~\cite{Bradley2007} and~\cite{kroening}}
\section{Preliminaries}
A first-order theory $T$ is defined by the following components.
\begin{itemize}
\item Its signature $\Sigma$ is a set of constant, function, and predicate symbols.
\item Its set of axioms $\mathcal A$ is a set of closed first-order logic formulae in which only constant, function, and predicate symbols of $\Sigma$ appear.
\end{itemize}
\begin{definition}[$T$-valid]
A $\Sigma$-formula $\varphi$ is valid in the theory $T$ ($T$-valid), if every interpretation $I$ that satisfies the axioms of $T$ (i.e., $I \models A \textrm{~for every~} A \in \mathcal A$) also satisfies $\varphi$ (i.e., $I \models \varphi$).
\end{definition}
% A $\Sigma$-formula $\varphi$ is , denoted $T \models \varphi$, if all interpretations that satisfy $T$ also satisfy $\varphi$.
% \end{definition}
% A theory is defined over a signature $\Sigma$, which is a set of nonlogical symbols (i.e., function and predicate symbols). If $T$ is such a theory, we say it is a $\Sigma$-theory.
\begin{definition}[$T$-satisfiable]
Let $T$ be a $\Sigma$-theory. A $\Sigma$-formula $\varphi$ is $T$-satisfiable if there exists an interpretation $I$ such that $I \models \varphi$.
\end{definition}
\begin{definition}[$T$-decidable]
A theory $T$ is decidable if $T \models \varphi$ is decidable for every $\Sigma$-formula. That is, there exists an algorithm that always terminate with ``yes'' if $\varphi$ is $T$-valid or with ``no'' if $\varphi$ is $T$-invalid.
\end{definition}
Some theories that we will use throughout this lecture are:
\begin{itemize}
\item The theory of equality with uninterpreted functions (\tequal).
\item The theory of real numbers (\tint).
\end{itemize}
\subsection{Theory of Equality}
The \textbf{theory of equality with uninterpreted functions} \tequal is the simplest first-order theory. Its signature consists of a binary equality predicate $(=)$, and all constant, function, and predicate symbols:
\[
\Sigma_{\textrm{\textsf E}} : \{=, a, b, c, \ldots, f, g, h, \ldots, p, q , r, \ldots\}
\]
We will adopt the convention of using letters at the beginning or end of the alphabet like $a$, $b$, $c$, $x$, $y$, \ldots for constants, $f$, $g$, $h$, \ldots for function symbols, and later alphabet characters $p$, $q$, $r$, \ldots for predicates.
Intuitively, \tequal captures statements about simple equality relationships between arbitrary objects that we do not assume anything else about. Much like the atomic propositions in propositional logic refer to arbitrary, uninterpreted assertions that are either true or false, the constants in \tequal are arbitrary objects that can be either equal or not equal to each other, can be operated on by arbitrary functions, and further related by arbitrary predicates.
The axioms of \tequal are the following:
\begin{enumerate}
\item $\forall x. x = x$ \hfill (reflexivity)
\item $\forall x, y. x = y \rightarrow y = x$ \hfill (symmetry)
\item $\forall x, y, z. x = y \wedge y = z \rightarrow x = z$ \hfill (transitivity)
\item $\forall \bar{x},\bar{y}. (\bigwedge^n_{i=1} x_i = y_i) \rightarrow f(\bar x) = f(\bar y)$ \hfill (congruence)
\item $\forall \bar{x},\bar{y}. (\bigwedge^n_{i=1} x_i = y_i) \rightarrow (p(\bar x) \leftrightarrow p(\bar y))$ \hfill (equivalence)
\end{enumerate}
\subsection{Theory of Reals}
The \textbf{theory of reals} \tint has signature
% \[
% \Sigma_{\mathbb{Z}} : \{\ldots, -2, -1, 0, 1, 2, \ldots, -3 \cdot, -2\cdot, 2\cdot, 3\cdot, \ldots, +, -, =, >\}
% \]
% where
% \begin{itemize}
% \item $\ldots, -2, -1, 0, 1, 2, \ldots$ are constants.
% \item $\ldots, -3 \cdot, -2\cdot, 2\cdot, 3\cdot, \ldots$ are unary functions, intended to represent constant coefficients (e.g., $2\cdot x$).
% \item $+$ and $-$ are binary functions.
% \item $=$ and $>$ are binary predicates.
% \end{itemize}
\[
\Sigma_{\mathbb{R}} : \{0, 1, +, -, \cdot, =, \geq\}
\]
where
\begin{itemize}
\item 0 and 1 are constants;
\item + (addition) and $\cdot$ (multiplication) are binary functions;
\item - (negation) is a unary function;
\item and = (equality) and $\geq$ (weak inequality) are binary predicates.
\end{itemize}
\tint has a complex axiomatization and we will not describe all its axioms here since they are not essential to the understanding of the Nelson-Oppen procedure and the DPLL(T) framework. We refer the interested student to~\cite{Bradley2007} for a detailed reading on the axiomatization of the theory of reals.
\subsection{Theory combination}
\begin{definition}[Theory combination]
Given two theories $T_1$ and $T_2$ with signatures $\Sigma_1$ and $\Sigma_2$, respectively, the theory combination $T_1 \oplus T_2$ is a $(\Sigma_1 \cup \Sigma_2)$-theory defined by the axiom set $T_1 \cup T_2$.
\end{definition}
\begin{definition}[The theory combination problem]
Let $\varphi$ be a $\Sigma_1 \cup \Sigma_2$ formula. The theory combination problem is to decide whether $\varphi$ is $T_1 \oplus T_2$-valid. Equivalently, the problem is to decide whether the following holds: $T_1 \oplus T_2 \models \varphi$.
\end{definition}
Given a $\Sigma$-formula $\varphi$ in \tequal and a $\Sigma$-formula $\psi$ in \tint can we check the satisfiability of $\varphi \land \psi$ by checking the satisfiability of $\varphi$ and $\psi$ independently and combining the results? We can quickly find a counterexample that tells us this is not a sound approach for the theory combination problem. Consider the following combination of formulas from \tequal and \tint:
\begin{align*}
\varphi &= f(x) \neq f(y)\\
\psi &= x+y = 0 \wedge x = 0
\end{align*}
Both $\varphi$ and $\psi$ are satisfiable but $\varphi$ implies that $x \neq y$ and $\psi$ implies that $x = y$, therefore their combination is not satisfiable!
\section{Nelson-Oppen Procedure}
The Nelson-Oppen procedure solves the theory combination problem for theories $T_1$ and $T_2$ that comply with the following restrictions:
\begin{itemize}
\item Both theories $T_1$ and $T_2$ are quantifier-free (conjunctive) fragments.
\item Equality (=) is the only symbol in the intersection of their signatures, i.e., $\Sigma_1 \cap \Sigma_2 = \{=\}$.
\item Both theories are stably infinite.
\end{itemize}
\begin{definition}[Stably infinite]
A theory $T$ with signature $\Sigma$ is stably infinite if for every satisfiable $\Sigma_T$-formula $\varphi$, there is an interpretation that satisfies $\varphi$ and that has a universe of infinite cardinality
\end{definition}
Consider the theory $T_{a,b}$ with signature $\Sigma_T : \{a, b, =\}$ where both $a$ and $b$ are constants and with the following axiom:
\begin{itemize}
\item $\forall x. x = a \vee x = b$ \hfill (two)
\end{itemize}
Because of axiom (two), every interpretation $I$ is such that the domain of $I$ has at most two elements. Therefore, $T_{a,b}$ is not stably infinite. Note that most of the theories of interest for program verification are stably infinite, e.g. theory of equality of uninterpreted functions and theory of integers.
%\newpage
The Nelson-Oppen procedure for a formula $\varphi$ that combines different theories consists of:
\begin{enumerate}
\item \textbf{Purification}: Purify $\varphi$ into $F_1, \ldots, F_n$.
\item Apply the decision procedure for $T_i$ to $F_i$. If there exists $i$ such that $F_i$ is unsatisfiable in $T_i$, then $\varphi$ is unsatisfiable.
\item \textbf{Equality propagation}: If there exists $i, j$ such that $F_i$ $T_i$-implies an equality between variables of $\varphi$ that is not $T_j$-implied by $F_j$, add this equality to $F_j$ and go to step 2.
\item If all equalities have been propagated then the formula is satisfiable.
\end{enumerate}
\subsection{Purification and equality propagation}
Purification is a satisfiability-preserving transformation of the formula, after which each atom is from a specific theory. In this case, we say that all the atoms are \textbf{pure}. More specifically, given a formula $\varphi$, purification generates an equisatisfiable formula $\varphi'$ as follows:
\begin{enumerate}
\item Let $\varphi' := \varphi$.
\item For each ``alien'' subexpression $\phi$ in $\varphi'$:
\begin{itemize}
\item Replace $\phi$ with a new auxiliary variable $a_\phi$
\item Constraint $\varphi'$ with $a_\phi = \phi$.
\end{itemize}
\end{enumerate}
Consider the following formula:
\[
\varphi = f(x + g(y)) \leq g(a) + f(b)
\]
This formula combines the theories \tequal and \tint. Below we show the purification of $\varphi$ into $\varphi'$ defined over \tint and $\varphi''$ defined over \tequal
\begin{center}
\begin{tabular}{|l|r|}
\hline
%\multicolumn{2}{|c|}{$\varphi = f(x + g(y)) \leq g(a) + f(b)$ (\tequal $\cup$ \tint)}\\
%\hline
\multicolumn{2}{|c|}{Purification}\\
\hline
$\varphi'$ (\tint) & $\varphi''$ (\tequal)\\
\hline
$u_4 = x + u_1 \wedge$ & $u_1 = g(y) \wedge$\\
$u_5 \leq u_2 + u_3$ & $u_2 = g(a) \wedge$\\
& $u_3 = f(b) \wedge$\\
& $u_5 = f(u_4)$\\
\hline
\end{tabular}
\end{center}
Observe that $\varphi'$ only contains atoms from \tint and $\varphi''$ only contains atoms from \tequal. A variable is shared if it occurs in both formulas and local otherwise. For example, $\{u_1, u_2, u_3, u_4, u_5\}$ are shared variables since they appear in both $\varphi'$ and $\varphi''$ and variables $\{x,y,a,b\}$ are local to either $\varphi'$ ($\{x\}$) or $\varphi''$ ($\{y,a,b\}$).
%\newpage
Consider another formula:
\[
\phi = f(f(x)-f(y)) \neq f(z) \wedge x \leq y \wedge y + z \leq x \wedge 0 \leq z
\]
We will show how determine the satisfiability of $\phi$ with the Nelson-Oppen procedure. We start by doing purification and then perform equality propagation over the shared variables.
\begin{center}
\begin{tabular}{|l|r|}
\hline
\multicolumn{2}{|c|}{Purification}\\
\hline
$\phi'$ (\tint) & $\phi''$ (\tequal)\\
\hline
$x \leq y \wedge$ & $f(w) \neq f(z) \wedge$\\
$y + z \leq x \wedge$ & $u = f(x) \wedge$\\
$0 \leq z \wedge$ & $v = f(y)$\\
$w = u - v$ &\\
\hline
\multicolumn{2}{|c|}{Equality propagation}\\
\hline
$x = y \wedge$ & $x = y \wedge $\\
$u = v \wedge$ & $u = v \wedge $\\
$w = z$ & $w = z \wedge $\\
& \textsf{unsat}\\
\hline
\end{tabular}
\end{center}
Observe that $x \leq y$, $y + z \leq x$ and $0 \leq z$ implies that $x = y$ and $z = 0$. Therefore, we add $x = y$ to both formulas. Since $x = y$ this implies that $f(x) = f(y)$ and therefore $u = v$. Since $u = v$ and $w = u - v$ than this implies that $w = 0$ which means that $w = z$. However, if $w = z$ than $f(w) = f(z)$ but $\phi''$ contains $f(w) \neq f(z)$. Hence, $\phi$ is unsatisfiable.
\subsection{Convex theories}
The Nelson-Oppen procedure described in the previous section is only valid for convex theories. Note that this procedure can be modified to handle nonconvex theories but for simplification purposes we omit that version.
\begin{definition}[Convex theory]
A $\Sigma$-theory T is convex if for every conjunctive $\Sigma$-formula $\varphi$:
\begin{align*}
&(\varphi \rightarrow \bigvee^n_{i=1} x_i = y_i) \textrm{~is $T$-valid for some finite~} n > 1 \rightarrow\\
&(\varphi \rightarrow x_i = y_i) \textrm{~is $T$-valid for some i~} \in \{1, \cdots, n\}
\end{align*}
where $x_i, y_i$, for $i \in \{1, \cdots, n\}$, are some variables.
\end{definition}
In other words, in a convex theory $T$, if a formula $T$-implies a disjunction of equalities, it also $T$-implies at least one of these equalities separately.
An example of a noncovex theory is the theory of integers (\tintz). For instance, while
\[
x_1 = 1 \wedge x_2 = 2 \wedge 1 \leq x_3 \wedge x_3 \leq 2 \rightarrow (x_3 = x_1 \vee x_3 = x_2)
\]
holds, neither
\[
x_1 = 1 \wedge x_2 = 2 \wedge 1 \leq x_3 \wedge x_3 \leq 2 \rightarrow x_3 = x_1
\]
nor
\[
x_1 = 1 \wedge x_2 = 2 \wedge 1 \leq x_3 \wedge x_3 \leq 2 \rightarrow x_3 = x_2
\]
holds.
Consider the following formula defined over the theory of integers (\tintz) and the theory of uninterpreted functions with equality (\tequal):
\[
\varphi = 1 \leq x \wedge x \leq 2 \wedge f(x) \neq f(1) \wedge f(x) \neq f(2)
\]
We can see that this formula is unsatisfiable since $x$ is either 1 or 2 but $f(x) \neq 1 \wedge f(x) \neq 2$ which means that $x$ has to be different than 1 and 2. However, if we apply the Nelson-Oppen procedure described in the previous section we will \textbf{incorrectly} conclude that $\varphi$ is satisfiable:
\begin{center}
\begin{tabular}{|l|r|}
\hline
\multicolumn{2}{|c|}{Purification}\\
\hline
$\varphi'$ (\tintz) & $\varphi''$ (\tequal)\\
\hline
$1 \leq x \wedge$ & $f(x) \neq f(z)$\\
$x \leq 2 \wedge$ & $f(x) \neq f(w)$\\
$z = 1$ &\\
$w = 2$ &\\
\hline
\multicolumn{2}{|c|}{Equality propagation}\\
\hline
\textsf{sat} & \textsf{sat}\\
\hline
\end{tabular}
\end{center}
\section{DPLL(T) framework}
The Nelson-Oppen procedure allows us to solve conjunctive first-order theories. To handle disjunction, we could convert the formula to Disjunctive Normal Form (DNF). However, this conversion is usually too expensive and is not the most efficient way of solving disjunctive first-order theories. In Lecture 13 we covered SAT Solvers \& DPLL and one of the strengths of the DPLL algorithm is its ability to handle disjunctions. DPLL can be extended into a DPLL(T) framework which allows Satisfiability Modulo Theory (SMT) solvers to handle disjunctions of first-order theories and forms the baseline of modern SMT solvers.
The key idea behind this framework is to decompose the SMT problem into parts we can deal with efficiently:
\begin{itemize}
\item Use SAT solver to cope with the \textbf{Boolean structure} of the formula;
\item Use dedicate conjunctive \textbf{theory solver} to decide satisfiability in the background theory.
\end{itemize}
\subsection{Boolean abstraction}
We define the Boolean abstraction of a $\Sigma$-formula $\varphi$ recursively:
\begin{itemize}
\item $<$literal$>$ ::= $<$atom$>_T$ $\vert$ $\neg <$atom$>_T$
\item $<$formula$>$ ::= $<$literal$>$\hfill $\mathcal B$ ($l_T$) $\myeq$ $P_i$, where $P_i$ is a fresh variable
\item $<$formula$>$ ::= $\neg$ $<$formula$>$\hfill $\mathcal B$ ($\neg F$) $\myeq$ $\neg \mathcal B(F)$
\item $<$formula$>$ ::= $<$formula$> \wedge$ $<$formula$>$\hfill $\mathcal B$ ($F_1 \wedge F_2$) $\myeq$ $\mathcal B(F_1) \wedge \mathcal B(F_2)$
\item $<$formula$>$ ::= $<$formula$> \vee$ $<$formula$>$\hfill $\mathcal B$ ($F_1 \vee F_2$) $\myeq$ $\mathcal B(F_1) \vee \mathcal B(F_2)$
\item $<$formula$>$ ::= $<$formula$> \rightarrow$ $<$formula$>$\hfill $\mathcal B$ ($F_1 \rightarrow F_2$) $\myeq$ $\mathcal B(F_1) \rightarrow \mathcal B(F_2)$
\item $<$formula$>$ ::= $<$formula$> \leftrightarrow$ $<$formula$>$\hfill $\mathcal B$ ($F_1 \leftrightarrow F_2$) $\myeq$ $\mathcal B(F_1) \leftrightarrow \mathcal B(F_2)$
\end{itemize}
Given a $\Sigma$-formula $\varphi$:
\[
\varphi : g(a) = c \wedge (f(g(a)) \neq f(c) \vee g(a) = d) \wedge c \neq d
\]
The Boolean abstraction of $\varphi$ is the following:
\begin{align*}
\mathcal B (F) &= \mathcal B(g(a) = c) \wedge \mathcal B(f(g(a)) \neq f(c) \vee g(a) = d) \wedge c \neq d)\\
&= \mathcal B(g(a) = c) \wedge \mathcal B(f(g(a)) \neq f(c) \vee g(a) = d)) \wedge \mathcal B(c \neq d)\\
&= \mathcal B(g(a) = c) \wedge \mathcal B(f(g(a)) \neq f(c)) \vee \mathcal B(g(a) = d) \wedge \mathcal B(c \neq d)\\
&= P_1 \wedge (\neg P_2 \vee P_3) \wedge \neg P_4
\end{align*}
Note that we can also define $\mathcal B^{-1}$ which maps from the Boolean variables back to the atoms in the original formula. For example $\mathcal B^-1(P_1 \wedge P_3 \wedge P_4)$ corresponds to the formula $g(a) = c \wedge g(a) = d \wedge c = d$.
We call $\mathcal B(\varphi)$ an abstraction of $\varphi$ since it is an over-approximation of $\varphi$ with respect to satisfiability. Observe the following properties of this over-approximation:
\begin{itemize}
\item If $\varphi$ is satisfiable then $\mathcal B(\varphi)$ is also satisfiable;
\item If $\mathcal B(\varphi)$ is satisfiable then $\varphi$ is not necessarily satisfiable:
\[
\varphi : 1 \leq x \wedge x \leq 2 \wedge f(x) \neq f(1) \wedge f(x) \neq f(2)
\]
$\varphi$ is unsatisfiable in the theory of integers (\tintz) since $x$ is either 1 or 2 but $f(x) \neq f(1) \wedge f(x) \neq f(2)$ implies that $x$ must be different than 1 and 2. However, the Boolean abstraction $\mathcal B(\varphi) = P_1 \wedge P_2 \wedge P_3 \wedge P_4$ is satisfiable.
\item If $\varphi$ is unsatisfiable then $\mathcal B(\varphi)$ is not necessarily unsatisfiable:
\[
\varphi : 1 \leq x \wedge x \leq 2 \wedge f(x) \neq f(1) \wedge f(x) \neq f(2)
\]
The same example as for the previous case holds for this case as well. $\varphi$ is unsatisfiable in the theory of integers (\tintz) but $\mathcal B(\varphi)$ is satisfiable.
\item If $\mathcal B(\varphi)$ is unsatisfiable then $\varphi$ is also unsatisfiable.
\end{itemize}
\subsection{Combining theory and SAT solvers}
The Boolean abstraction provides us with a \textbf{lazy} way to solve SMT. Given a $\Sigma$-formula $\varphi$, we can determine its satisfiability by performing the following procedure:
\begin{enumerate}
\item Construct the Boolean abstraction $\mathcal B(\varphi)$;
\item If $\mathcal B(\varphi)$ is unsatisfiable then $\varphi$ is unsatisfiable;
\item Otherwise, get an interpretation $I$ for $\mathcal B(\varphi)$;
\item Construct $\psi = \bigwedge^n_{i=1} P_i \leftrightarrow I(P_i)$;
\item Send $B^{-1}(\psi)$ to the $T$-solver;
\item If $T$-solver reports that $\varphi \land B^{-1}(\psi)$ is satisfiable then $\varphi$ is satisfiable;
\item Otherwise, update $\mathcal B(\varphi) := \mathcal B(\varphi) \wedge \neg \psi$ and return to step 2.
\end{enumerate}
This procedure terminates when: (i) $\mathcal B(\varphi)$ becomes unsatisfiable which implies that $\varphi$ is also unsatisfiable or (ii) $T$-solver reports that $\varphi \land B^{-1}(\psi)$ is satisfiable which implies that $\mathcal B(\varphi)$ is satisfiable and that there exists an interpretation $I$ that satisfies all axioms in the theory $T$.
%
Note that if $\varphi \land B^{-1}(\psi)$ is unsatisfiable we cannot terminate since there may be another interpretation to $\mathcal B(\varphi)$ that would make $\varphi \land B^{-1}(\psi)$ satisfiable. Therefore, we need to exhaust all interpretations for $\mathcal B(\varphi)$ before deciding that $\varphi$ is unsatisfiable.
%
On step 7 we add $\neg \psi$ to $\mathcal B(\varphi)$ since if we did not, we would get the same interpretation $I$ for $\mathcal B(\varphi)$. We denote $\neg \psi$ as a \textbf{theory conflict clause} that prevents the SAT solver from going down the same path in future iterations.
Suppose we want to find if the $\Sigma$-formula $\varphi$ is satisfiable:
\[
\varphi : g(a) = c \wedge (f(g(a)) \neq f(c) \vee g(a) = d) \wedge c \neq d
\]
We start by building its Boolean abstraction $\mathcal B(\varphi)$:
\[
\mathcal B(\varphi) : P_1 \wedge (\neg P_2 \vee P_3) \wedge \neg P_4
\]
Table~\ref{tbl:init} shows the step 1 of the procedure with $\varphi$ and the corresponding Boolean abstraction $\mathcal B(\varphi)$. Next, we query the SAT solver for an interpretation to $\mathcal B(\varphi)$. Assume that the SAT solver returns the following interpretation $I = \{P_1, \neg P_2, P_3, \neg P_4\}$. We construct $\psi = (P_1 \wedge \neg P_2 \wedge P_3 \wedge \neg P_4)$ and send $\mathcal B^{-1}(\psi)$ to $T$-solver. Note that $\mathcal B^{-1}(\psi)$ corresponds to:
\[
\mathcal B^{-1}(\psi) : g(a) = c \wedge f(g(a)) \neq f(c) \wedge g(a) = d \wedge c \neq d
\]
$\mathcal B^{-1}(\psi) \land \varphi$ is unsatisfiable since if $g(a) = d$ and $g(a) = c$ then $c = d$ but $\varphi$ states that $c \neq d$. Therefore, we know that this interpretation is not satisfiable but there may exist another interpretation that satisfies $\varphi$. We update $\mathcal B(\varphi)$ with $\neg \psi$ as shown in Table~\ref{tbl:2} and query the SAT solver for another interpretation.
\begin{table}
\centering
\begin{tabular}{|l|r|}
\hline
Theory solver & SAT solver\\
\hline
$g(a) = c \wedge$ & $P_1 \wedge (\neg P_2 \vee P_3) \wedge \neg P_4$\\
$(f(g(a)) \neq f(c) \vee g(a) = d) \wedge$ &\\
$c \neq d$&\\
\hline
\end{tabular}
\caption{$\varphi$ and $\mathcal B(\varphi)$.}\label{tbl:init}
\end{table}
\begin{table}
\centering
\begin{tabular}{|l|r|}
\hline
Theory solver & SAT solver\\
\hline
$g(a) = c \wedge$ & $P_1 \wedge (\neg P_2 \vee P_3) \wedge \neg P_4$\\
$(f(g(a)) \neq f(c) \vee g(a) = d) \wedge$ & $(\neg P_1 \vee P_2 \vee \neg P_3 \vee P_4)$\\
$c \neq d$&\\
\hline
\end{tabular}
\caption{Updated $\mathcal B(\varphi)$ after checking that the interpretation $I = \{P_1, \neg P_2, P_3, \neg P_4\}$ does not satisfy $\varphi$}\label{tbl:2}
\end{table}
Assume that the SAT solver returns a new interpretation $I = \{P_1, P_2, P_3, \neg P_4\}$. We construct $\psi = (P_1 \wedge P_2 \wedge P_3 \wedge \neg P_4)$ and send $\mathcal B^{-1}(\psi)$ to $T$-solver. Note that in this case $\mathcal B^{-1}$ corresponds to:
\[
\mathcal B^{-1}(\psi) : g(a) = c \wedge f(g(a)) = f(c) \wedge g(a) = d \wedge c \neq d
\]
We can see that $\mathcal B^{-1}(\psi) \land \varphi$ is unsatisfiable for the same reason as before. We update $\mathcal B(\varphi)$ with $\neg \psi$ as shown in Table~\ref{tbl:3} and perform another query to the SAT solver.
\begin{table}
\centering
\begin{tabular}{|l|r|}
\hline
Theory solver & SAT solver\\
\hline
$g(a) = c \wedge$ & $P_1 \wedge (\neg P_2 \vee P_3) \wedge \neg P_4$\\
$(f(g(a)) \neq f(c) \vee g(a) = d) \wedge$ & $(\neg P_1 \vee P_2 \vee \neg P_3 \vee P_4)$\\
$c \neq d$& $(\neg P_1 \vee \neg P_2 \vee \neg P_3 \vee P_4)$\\
\hline
\end{tabular}
\caption{Updated $\mathcal B(\varphi)$ after checking that the interpretation $I = \{P_1, P_2, P_3, \neg P_4\}$ does not satisfy $\varphi$.}\label{tbl:3}
\end{table}
Assume that the SAT solver returns a new interpretation $I = \{P_1, \neg P_2, \neg P_3, \neg P_4\}$. We construct $\psi = (P_1 \wedge \neg P_2 \wedge \neg P_3 \wedge \neg P_4)$ and send $\mathcal B^{-1}(\psi)$ to $T$-solver. Note that in this case $\mathcal B^{-1}$ corresponds to:
\[
\mathcal B^{-1}(\psi) : g(a) = c \wedge f(g(a)) \neq f(c) \wedge g(a) \neq d \wedge c \neq d
\]
We can see that $\mathcal B^{-1}(\psi) \land \varphi$ is unsatisfiable since $g(a) = c$ but $f(g(a)) \neq f(c)$. We update $\mathcal B(\varphi)$ with $\neg \psi$ as shown in Table~\ref{tbl:4} and observe that $\mathcal B(\varphi)$ becomes unsatisfiable after adding $\neg \psi$. Since $\mathcal B(\varphi)$ is unsatisfiable, we can conclude that $\varphi$ is also unsatisfiable.
\begin{table}
\centering
\begin{tabular}{|l|r|}
\hline
Theory solver & SAT solver\\
\hline
$g(a) = c \wedge$ & $P_1 \wedge (\neg P_2 \vee P_3) \wedge \neg P_4$\\
$(f(g(a)) \neq f(c) \vee g(a) = d) \wedge$ & $(\neg P_1 \vee P_2 \vee \neg P_3 \vee P_4)$\\
$c \neq d$& $(\neg P_1 \vee \neg P_2 \vee \neg P_3 \vee P_4)$\\
&$(\neg P_1 \vee P_2 \vee P_3 \vee P_4)$\\
&\textsf{unsat}\\
\hline
\end{tabular}
\caption{Updated $\mathcal B(\varphi)$ after checking that the interpretation $I = \{P_1, \neg P_2, \neg P_3, \neg P_4\}$ does not satisfy $\varphi$. $\mathcal B(\varphi)$ becomes unsatisfiable after adding the negation of $I$.}\label{tbl:4}
\end{table}
\subsection{Improving DPLL(T) framework}
Consider the $\Sigma$-formula $\varphi$ defined over \tintz:
\[
\varphi: 0 < x \wedge x < 1 \wedge x < 2 \wedge \ldots x < 99
\]
The Boolean abstraction $\mathcal B(\varphi)$ is the following:
\[
\mathcal B(\varphi): P_0 \wedge P_1 \wedge \ldots \wedge P_{99}
\]
Note that $\mathcal B(\varphi)$ has $2^{98}$ interpretations containing $P_0 \wedge P_1$ and none of them satisfies $\varphi$. The procedure described in the previous section will enumerate all of them one by one and add a blocking conflict clause that only covers a single assignment! A potential solution to this issue is to not treat the SAT solver as a black box but instead incrementally query the theory solver as interpretations are made in the SAT solver. If we would perform this integration then we would be able to stop after adding $\{0 < x, x < 1\}$ and would not need to explore the $2^{98}$ infeasible interpretations. This can be done by pushing the $T$-solver into the DPLL algorithm as follows:
\begin{enumerate}
\item After Boolean Constraint Propagation (BCP), invoke the $T$-solver on the partial interpretation;
\item If the $T$-solver returns unsatisfiable then we can stop the search of the SAT solver and immediately add $\neg \psi$ to $\mathcal B{\varphi}$;
\item Otherwise, continue as usual until we have a new partial interpretation.
\end{enumerate}
Recall the example:
\[
\varphi : g(a) = c \wedge (f(g(a)) \neq f(c) \vee g(a) = d) \wedge c \neq d
\]
And its Boolean abstraction $\mathcal B(\varphi)$:
\[
\mathcal B(\varphi) : P_1 \wedge (\neg P_2 \vee P_3) \wedge \neg P_4
\]
DPLL will begin by propagating $P_1$ and $\neg P_4$ since they are unit clauses. At this point the theory axioms imply more propagations:
\begin{align*}
g(a) = c \rightarrow f(g(a)) = f(c)\\
g(a) = c \wedge c \neq d \rightarrow g(a) \neq d
\end{align*}
Deciding $\neg P_2$ or $P_3$ would be wasteful, so we can add the \textbf{theory lemmas}:
\begin{align*}
(P_1 \rightarrow P_2)\\
(P_1 \wedge \neg P_3) \rightarrow \neg P_3
\end{align*}
This procedure is called \textbf{theory propagation}, and if applied exhaustively can significantly prune the search by leading to Boolean interpretations that are $T$-satisfiable. However, in practice doing this at every step can be expensive and theory propagation is only applied when it is ``likely'' (using heuristics) to derive useful implications.
Another optimization that can be performed is to minimize the conflict clause $\psi$ that we add to $\mathcal B(\varphi)$ to contain only the root cause of the issue. Consider again the $\Sigma$-formula $\varphi$:
\[
\varphi : g(a) = c \wedge (f(g(a)) \neq f(c) \vee g(a) = d) \wedge c \neq d
\]
Notice that the interpretations $I = \{P_1, \neg P_2, P_3, \neg P_4\}$ and $I'= \{P_1, P_2, P_3, \neg P_4\}$ had the same root cause that lead to $\varphi$ being unsatisfiable under that interpretation, i.e. $g(a) = d$ and $g(a)$ which implies that $c = d$ but we know that $c \neq d$ which is a contradiction. Can we find the root cause of this issue and learn something stronger than $\psi = (\neg P_1 \vee P_2 \vee \neg P_3 \vee P_4)$? Finding a smaller \emph{unsatisfiable core} to add instead of the entire $\psi$ can help us avoid these redundant conflicts.
\begin{definition}[Minimal unsatisfiable core]
Let $\varphi$ be an unsatisfiable formula and $\varphi_c \subseteq \varphi$. $\varphi_c$ is a minimal unsatisfiable core if and only if:
\begin{itemize}
\item $\varphi_c$ is unsatisfiable;
\item Removing any element from $\varphi_c$ makes $\varphi_c$ satisfiable.
\end{itemize}
\end{definition}
For $I = \{P_1, \neg P_2, P_3, \neg P_4\}$ we have the following $\mathcal B^{-1}(\varphi)$:
\[
\mathcal B^{-1}(\varphi) : g(a) = c \wedge f(g(a)) \neq f(c) \wedge g(a)=d \wedge c \neq d
\]
We can compute the minimal unsatisfiable core of $\mathcal B^{-1}(\varphi)$ as follows.
\begin{enumerate}
\item Drop $g(a) = c$. Is the formula still unsatisfiable? \textbf{No!} Then it means this constraint will be part of the minimal unsatisfiable core.
\item Drop $f(g(a)) \neq f(c)$. Is the formula still unsatisfiable? \textbf{Yes!} Then it means that we can remove this constraint from the minimal unsatisfiable core.
\item Now we have $g(a) = c \wedge g(a) = d \wedge c \neq d$.
\item Drop $g(a) = d$. Is the formula still unsatisfiable? No, then keep this constraint.
\item Drop $c \neq d$. Is the formula still unsatisfiable? No, then keep this constraint.
\end{enumerate}
We can conclude that our minimal unsatisfiable core is $g(a) = c \wedge g(a) = d \wedge c \neq d$. Therefore, we can learn the clause $\psi' = (\neg P_1 \vee \neg P_3 \vee P_4)$ instead of $\psi = (\neg P_1 \vee P_2 \vee \neg P_3 \vee P_4)$ which would have save one query to the SAT solver in the previous section.
\section{Summary}
\begin{itemize}
\item Nelson-Oppen procedure allow us to decide the satisfiability of a formula that consists of a combination of conjunctive first-order theories.
\item Nelson-Oppen procedure is based on two phases:
\begin{enumerate}
\item Purification;
\item Equality propagation of shared variables.
\end{enumerate}
\item The DPLL(T) framework can be used to decide the satisfiability of a formula that consists of a combination of disjunctive first-order theories.
\item We can over-approximate a formula using its Boolean abstraction.
\item The key ideas behind the DPLL(T) framework is to:
\begin{itemize}
\item Use SAT solver to cope with the Boolean structure of the formula;
\item Use dedicate conjunctive theory solver to decide satisfiability in the background theory.
\end{itemize}
\item The basic DPLL(T) framework can be further improved with:
\begin{itemize}
\item Theory propagation;
\item Minimal unsatisfiable cores.
\end{itemize}
\end{itemize}
\bibliography{platzer,bibliography}
\end{document}