we propose a Craig interpolation procedure for SSMT that is sound and complete when the theory is order theory of the reals, and we extend it to non-polynomial SSMT by using interval constraint propagation (ICP) [Ben96], then obviously sacrificing completeness, yet maintaining soundness.
Essentially, we first use ICP for reducing the general, non-polynomial SSMT problem to an SSMT problem over the linear order over the reals. As an unsatisfied SSMT problem may have satisfying assignments —just not sufficiently many to exceed the target prob-ability threshold—, we then have to compute a generalized interpolant, which is a Craig interpolant for (A, B∧ ¬SA,B), where SA,B represents an overapproximation of the satis-fying assignments of the formulaA∧B. We do so by extending Púdlak’s rules [Pud97] to compute that generalized Craig interpolant. Instrumental to that adaptation of Púdlak’s rules is the observation that the theory of linear order, with simple bounds as its atoms, admits a resolution rule akin to the propositional counterpart.
5.1.2 Related work
As in Chapter 4, we referred to previous works that use Craig interpolation with(out) other techniques in verifying safety. However, what sets this chapter aside, is that it deals with the same bounded model checking problems admitting stochastic behaviour.
Generalized interpolation for SSAT. Teige in [TF12b] proposed generalized Craig in-terpolation for stochastic Boolean satisfiability (SSAT) problems. Our work extends this to SSMT involving non-polynomial arithmetic constraints. Furthermore, Teige’s approach did not address a solution of stochastic models having continuous dynamics, which will be shown in our work.
Interpolants in presence of non-linear constraints. Kupferschmid et al. [KB11] was the first to suggest Craig interpolation for non-polynomial and thus undecidable SMT problems by means of ICP and resolution in SMT of linear order. Our approach employs the same mechanism for dealing with arithmetic constraints, but extends the approach to SSMT problems, thus necessitating computation of generalized rather than traditional interpolant.
5.2 Stochastic Satisfiability Modulo theories (SSMT)
In this section, we introduce the syntax and semantics of stochastic satisfiability modulo theories (SSMT) formulae, as originally proposed in [FHT08].
5.2. STOCHASTIC SATISFIABILITY MODULO THEORIES (SSMT)
5.2.1 SSMT: syntax
Definition 5.1: Syntax of SSMT
A stochastic satisfiability modulo theories (SSMT) formula δ is of the form Q :ϕ where
1. ϕis an arbitrary SMT formula with respect to the theory of non-polynomial arithmetic over the reals and integers, called thematrix of the formula, and 2. Q = Q1x1 ∈ Dx1 ....Qnxn ∈ Dxn is a quantifier prefix binding some
variables xi ∈V(ϕ) over finite domains Dxi :={val1, ...,valm} by a sequence of existential and randomized quantifiers Qi; i.e., ∃ and R
[val17→p1,...,valm7→pm]
respectively, where Pmi=1pi:= 1.
Free, i.e., unbound by quantifiers, variables are permitted in SSMT formulae. For simplic-ity, we assume that the matrixϕ of an SSMT formula Q:ϕ is in CNF form, as one can convert any formula to a CNF of linear size by introducing auxiliary variables [Tse83] as aforementioned in Section4.3.
5.2.2 SSMT: semantics
Definition 5.2: Semantics of SSMT
The semantics of an SSMT formulaδ is given by its maximum probability of satis-factionPr(δ) defined as follows:
Pr(ε:ϕ) =
( 0 if ϕis unsatisfiable, 1 if ϕis satisfiable, Pr(∃x∈ Dx Q:ϕ) = maxval∈DxPr(Q:ϕ[val/x]), Pr( R
x∈ Dx Q:ϕ) = X
val∈Dx
dx(val)·Pr(Q:ϕ[val/x]).
where dx is a discrete probability distribution over Dx, εis an empty prefix quan-tifier, ϕis the matrix ofδ andQ is an arbitrary quantifier prefix.
Definition 5.2 is an extension of the semantics of SSAT, cf. [Pap85, TF12b]. While the interpretation of quantifiers remains the same as for SSAT, their treatment is adapted to handlediscrete domains with more than two values.
That is, the maximum probability of satisfaction Pr(δ) of an SSMT formula δ with a leftmost existential quantifier in the prefix, i.e., δ = ∃x ∈ Dx Q : ϕ, is defined as the maximum of the satisfaction probabilities of all subformulae Q : ϕ[val/x] that is obtained after removing the leftmost quantified variable from the prefix and substituting values val ∈ Dx for variable x in the matrix ϕ. If the leftmost variable is randomized, i.e. δ = R
dxx ∈ Qx Q : ϕ, then Pr(δ) demands to compute the weighted sum of the satisfaction probabilities of all subformulaeQ:ϕ[val/x].
The base cases of this definition, that are reached whenever the quantifier prefix becomes empty i.e. ε, yield SMT formulae over the non-quantified (free) variables.
5.2. STOCHASTIC SATISFIABILITY MODULO THEORIES (SSMT)
δ = ∃ x ∈ { 2, 3, 4 } , R
[17→ 0.2,27→ 0.4,3 7→ 0.4]
y ∈ { 1, 2, 3 } : (x + y > 3 ∨ 2 · y − x > 3) ∧ (x < 4)
x
y y y
x = 2 x = 3 x = 4
unsat sat sat sat sat sat unsat unsat unsat
y= 1 y= 2 y= 3 y= 1 y= 2 y= 3 y= 1 y= 2 y= 3
Pr= 0 Pr= 1 Pr= 1 Pr= 1 Pr= 1 Pr= 1 Pr= 0 Pr= 0 Pr= 0
Pr= 0.8 Pr= 1.0 Pr= 0.0
Pr(δ) = max(0.8, 1.0) = 1.0
q
Figure 5.1: 112 player game semantics of an SSMT formula. In recursive solvers, traversal of the dashed part of the quantifier tree will be skipped due to pruning [Tei12].
This is one of the main differences between SSMT and SSAT, where all variables of the later formula are quantified and each base case thus gives a formula equivalent to eithertrueor false. Being conformed with the intuition of the maximum probability of satisfaction, we assign satisfaction probability 1 to the remaining quantifier-free SMT formula Q in case ϕ is satisfiable, and probability 0 otherwise, i.e. if ϕ is unsatisfiable. Thereby, the non-quantified, free, variables of an SSMT formula can be seen as innermost existentially quantified over possibly (finite) continuous domains.
5.2.3 SSMT: illustrative example
Example 5.1: SSMT semantics: 112 player game
Let us consider the following formula which is depicted in Figure 5.1:
∃x∈ {1,2,3}, R
[17→0.2,27→0.4,37→0.4]y∈ {1,2,3}: (x+y >3∨2·y−x >3)∧(x <4) The semantics of the previous SSMT formula is a 112 player game. In naïve SSMT solving, the quantifier tree would be fully unravelled and all resulting instances of the matrix (leaves of the tree) passed to an SMT solver which returns in the most times satisfiable a.k.a. sat or unsatisfible a.k.a. unsat answers. After that, we compute back the satisfiability probability of parent nodes. For example for the node where the evalation ofxis 2, the probability equals the weight of all branches, namely (0·0.02) + (1·0.4) + (1·0.4) = 0.8. By the same way we compute the probability of all nodes at the same level (depth). Now, since x is existentially quantified, we need to compute the maximum probability of all branches, i.e., find
5.2. STOCHASTIC SATISFIABILITY MODULO THEORIES (SSMT)
the maximum of 0.8, 1.0 and 0.0, which is nothing but 1.0. At this point, we reach the root of the tree and compute the maximum probability of satisfying the given formula.
Pruning rules also shown in Figure 5.1, yet permit to skip investigating a major portion of the instances in general. For more information about these pruning techniques, one may consider the SiSAT model checker and Teige’s thesis [Tei12].
5.2.4 Complexity of SSMT
Quantified Boolean formulae (QBF) or QSAT are decidable problems; namely PSPACE-complete [Pap94]. QBF is a special case of SSAT [TF10] and the latter problem is also PSPACE-complete [TF10,Pap94] even for S2SAT problems [TF10].
Furthermore, SSAT problems are special cases of SSMT [FHT08], where the latter prob-lems with contrast to SSAT [Pap85], are either fully quantified or containing free variables, i.e. general SSMT formulae. On one hand SSMT and S2SMT problems with linear order (total order) are decidable and PSPACE-complete as one can polynomially reduce [Pap94]
SSAT problems to SSMT problems. On the other hand SSMT problems with non-linear constraints, e.g.,exponential,sin functions are undecidable.
5.2.5 Structure of SSMT formula
An SSMT formula is consisting of two layers; namely an SSMT layer and an SMT layer.
However in this section we show explicitly how these layers are built and communicated.
Our proposed structure in Figure5.2follows yet adjusts the structure of SiSAT tool [Tei12].
Topmost layer: SSMT layer. In this layer we have the SMT formulaϕwith the quantifier prefixQ. The quantifier prefix of this formula is built as shown before in Section5.2. and the non-quantified SMT (matrix) will be passed to the middle layer (SMT layer) as shown in Figure5.2.
Middle layer: SMT layer. In this layer, one can have conjunctive of linear constraints or non-linear constraints or both of them. This layer employs the lowermost layer by passing the conjunctive model of the system,where each variable in this layer is assigned to an interval instead of a single assignment. Consequently all DPLL techniques, such as deduction, unit propagation are performed in the term of intervals; namely decide means case split of variable interval as shown in the example in Figure 5.2 for the variables n andm.
Normally if the formula contains only linear constraints, then it can be solved by using Fourier-Motzkin elimination [DE73] or simplex algorithm [Dan63] in this layer. However, we introduced a general architecture to deal with general cases, e.g. linear and non-linear constraints where the latter case needs a special treatment as will be illustrated in the next layer.
5.2. STOCHASTIC SATISFIABILITY MODULO THEORIES (SSMT)
SSMT layer; Quantifiers and SMT formula
SMT formula linear constriants non-linear
T-Solver for conjunctive non-linear constraint
reports inconsistency or satisfiability of model reports deduced facts
by ICP conjunctive system
model
SMT(CNF)
reports unsatisfiability or satisfiability of the
formula reports deduced facts
by ICP
δ=∃x∈ {0.3,0.7}, R
[3.57→0.2,57→0.8]y∈ {3.5,5}: (sin(m)< x∨n <4 +y)∧(n−m≤4.5 +y∨b)
x
y y
x= 0.3 x= 0.7
y= 3.5 y= 5 y= 3.5 y= 5
(sin(m)<0.3∨n <7.5)∧(n−m≤8∨b) m∈[0,1], n∈[7,10], b∈[T, F]
pass an SMT formula
(m≤0.31∨n <8.5)∧(n−m≤8∨b) n∈[7,8.5) n∈[8.5,10]
(m≤0.31∨n <8.5)∧(n≤8.31
| {z }∨m >0.31∨b)
m∈[0,0.31] m∈(0.31,1]
by ICP, new UB ofn Learned Clause
(n <8.5∨b) split
: free variables are assigned to intervals constriants
Figure 5.2: On the right side, an architecture of SSMT solver, e.g. SiSAT. On the left side, an example of solving SSMT formula and how this will be mapped to the architecture of an SSMT solver.
Lowermost layer: T-layer. This layer is responsible for reasoning about conjunctive sys-tems of non-linear arithmetic constraints over bounded reals and integers [Tei12]. One of efficient mechanisms to handle the latter problems is to use asafe interval analysis[Moo95]
and aninterval constraint propagation (ICP) as proposed in SiSAT.
• Interval analysis: It is used to evaluate the interval consistency of a conjunctive of non-linear arithmetic constraints involving functions like sin and exp. Interval consistency is a necessary but not sufficient condition for real-valued satisfiability of the model of constraints. Thus, sometimes iSAT can return weak answers as
“candidate solution” (cf. Section 4.3).
There are several definitions of interval consistency [BG06]. They differ only in the strength of their consistency notions and in the computational effort to decide consis-tency. Our consistency concept (as aforementioned in Section4.3) ishull-consistency.
Hull-consistency concept is applied to unary, binary arithmetic operations and sim-ple bounds. When we sayhull(A) for some setA⊆Ror (A⊆Z), called the interval hull of A, is the smallest interval containing the set A.
• Interval constraint propagation (ICP) [BMH94]: It is integrated with interval consistency as a deduction mechanism to cut-off irrelevant parts from the variable assignments by narrowing the intervals (contractors) [Ben96,BMH94] while trying to achieve hull consistency. Intuitively if we are given a constraint1and a certain area B where the solution is expected, then ICP technique finds another area B0 such
1In SiSAT, only primitive constraints are considered, i.e. constraints containing one relation and at