# linear_arithmetic_satisfiability_via_strategy_improvement__66343efa.pdf

Linear Arithmetic Satisﬁability Via Strategy Improvement

Azadeh Farzan University of Toronto azadeh@cs.toronto.edu

Zachary Kincaid Princeton University zkincaid@cs.princeton.edu

Satisﬁability-checking of formulas in the theory of linear rational arithmetic (LRA) has broad applications including program veriﬁcation and synthesis. Satisﬁability Modulo Theories (SMT) solvers are effective at checking satisﬁability of the ground fragment of LRA, but applying them to quantiﬁed formulas requires a costly quantiﬁer elimination step. This article presents a novel decision procedure for LRA that leverages SMT solvers for the ground fragment of LRA, but avoids explicit quantiﬁer elimination. The intuition behind the algorithm stems from an interpretation of a quantiﬁed formula as a game between two players, whose goals are to prove that the formula is either satisﬁable or not. The algorithm synthesizes a winning strategy for one of the players by iteratively improving candidate strategies for both. Experimental results demonstrate that the proposed procedure is competitive with existing solvers.

1 Introduction

Satisﬁability modulo theories (SMT) solvers have proven to be extremely effective tools for solving a variety of problems. The traditional strength of SMT solvers has been in testing satisﬁability of ground (quantiﬁer-free) formulas, but many applications require quantiﬁers. For example, checking veriﬁcation conditions for deductive veriﬁcation [Ge et al., 2007], program synthesis [Solar-Lezama et al., 2006; Solar-Lezama, 2008; Reynolds et al., 2015], and model checking of array programs [Ghilardi and Ranise, 2010] all make use of quantiﬁers.

Integrating support for quantiﬁers into SMT solvers has been a long standing challenge. For theories that admit quantiﬁer elimination, such as linear rational arithmetic (LRA), one option is to eliminate quantiﬁers and then apply an SMT solver to the resulting ground formula. However, for applications that require only a yes or no answer to the satisﬁability problem, quantiﬁer elimination is a computationally expensive and unnecessary step. Heuristic quantiﬁer instantiation is a practical alternative to quantiﬁer elimination [De Moura and Bjørner, 2007; Ge et al., 2007], but

it is incomplete and may return unknown on difﬁcult problem instances. First-order theorem provers (such as Vampire [Kov acs and Voronkov, 2013] and E [Schulz, 2013]) are well-tuned for solving quantiﬁed formulas, but have limited support for reasoning modulo theories.

This article presents a novel procedure for checking satisﬁability of (quantiﬁed) LRA formulas. As with some approaches to Quantiﬁed Boolean Formulas [Zhang, 2006; Janota et al., 2012], the procedure takes intuition from gametheoretical semantics of quantiﬁers [Hintikka, 1982]. We interpret a quantiﬁed formula as a game played by two players, SAT and UNSAT, whose goals are to prove that the formula is satisﬁable and unsatisﬁable, respectively. The players take turns instantiating quantiﬁers in the formula, with the existential quantiﬁers corresponding to moves of the SAT player and universal quantiﬁers corresponding to moves of the UNSAT player. SAT wins the game if the choices made by the players results in a model of the remainder of the formula (after all quantiﬁers have been instantiated); otherwise, UNSAT wins. A quantiﬁed formula is satisﬁable if and only if there is a winning strategy for the SAT player; that is, if SAT has a way to win the game no matter how UNSAT plays.

The decision procedure proposed in this paper is based on synthesizing a winning strategy for one of the two players. The algorithm operates by iteratively improving the strategies for both players. At each step of the algorithm, one of the players proposes a candidate strategy. If the candidate is a winning strategy, then the status of the formula is known and the algorithm terminates. If the candidate is not a winning strategy, then the opposing player synthesizes a counterstrategy to beat it. In the next round, the opposing player proposes a new strategy that beats all previous strategies, and the two players switch roles. The process continues until one of the players obtains a winning strategy.

The next section deﬁnes the terminology and notation used in the rest of the paper. In 3 we deﬁne strategy skeletons. Strategy skeletons are similar to classical strategies, but have an order structure: our LRA decision procedure searches for winning strategy skeletons by ascending in this ( improvement ) order. 4 describes a procedure for constructing a counter-strategy to a candidate strategy skeleton. 5 presents the decision procedure for LRA. 6 discusses how to extend the strategy improvement procedure to other theories, in particular linear integer arithmetic. We present experimental re-

Proceedings of the Twenty-Fifth International Joint Conference on Artificial Intelligence (IJCAI-16)

sults in 7 and conclude in 8.

2 Game Semantics for Linear Arithmetic

The deﬁnitions that follow are mostly standard, but the reader who is unfamiliar with the game-theoretic interpretation of quantiﬁers in ﬁrst-order logic may wish to read 2.2.

2.1 Linear Arithmetic

The syntax of linear rational arithmetic (LRA) is as follows. The set of terms is deﬁned by the following grammar

s, t 2 Term ::= c | x | s + t | c t where x is a variable symbol and c is a rational number. Ground formulas are deﬁned by the grammar

F, G 2 Formula ::= t < 0 | t = 0 | F G | F _ G Notice that we (without loss of generality) assume that formulas are negation-free. A prenex formula is a formula of the form

' = Q1x1.Q2x2. Qnxn.F , where each Qi is either 9 or 8, F is a ground formula, and all variable symbols {x1, ..., xn} are assumed to be distinct. For a formula ', we use fv(') to denote the free variables which appear in '; similarly, fv(t) denotes the free variables of the term t. A prenex formula is a sentence if it has no free variables.

A valuation is a function M : V ! Q, where V is some ﬁnite set of variable symbols and Q denotes the set of rational numbers. For a term t and a valuation V , we use Jt KM to denote the interpretation of t within the valuation M. We use M |= ' to denote that M satisﬁes the formula ' (M is a model of '), deﬁned in the usual way. Many modern SMT solvers have the capability of computing satisfying valuations for satisﬁable ground formulas [De Moura and Bjørner, 2008; Barrett et al., 2011; Dutertre, 2014].

For a valuation M, a variable x, and a rational number c, we use M{x 7! c} to denote the extension of M where x is interpreted as c:

M{x 7! c} , λy.if y = x then c else M(y) For a formula ', variable x, and term t, we use '[x 7! t] to denote the formula obtained from ' by substituting each free occurrence of x with t. For a sequence , we use | | to denote the length of and i to denote the ith element of .

2.2 Satisﬁability Games

A prenex sentence

' = Q1x1.Q2x2. Qnxn.F deﬁnes a satisﬁability game, which is played as follows. There are two players, SAT and UNSAT, which take turns picking rational numbers. At round i of the game, if Qi is 9, then SAT chooses a rational number to assign to the variable xi; if Qi is 8, then the choice belongs to UNSAT. After playing this game for n rounds, the players choices deﬁne a play 2 Qn: a sequence of rational numbers of length n. This play can be identiﬁed with a valuation of the variables M : {x1, ..., xn} ! Q where for each i, M (xi) , i. The SAT player wins if M |= F, otherwise UNSAT wins.

A strategy for a satisﬁability game determines the next move for a player as a function of the sequence of previous moves in the game:

Deﬁnition 2.1 (Strategy). Let

' = Q1x1.Q2x2. Qnxn.F be a prenex LRA sentence. A SAT strategy for the satisﬁability game ' is a function

f : { 2 Q : | | < n Q| |+1 = 9} ! Q Similarly, an UNSAT strategy for ' is a function

g : { 2 Q : | | < n Q| |+1 = 8} ! Q

We say that a play of ' conforms to a SAT strategy f if for every i 2 {1, ..., n} such that Qi is 9, we have

i = f( 1... i 1) . That is, i = f( 1... i 1) whenever f( 1... i 1) is deﬁned. Similarly, a play of ' conforms to an UNSAT strategy g if i = g( 1... i 1) whenever g( 1... i 1) is deﬁned.

We say that a SAT strategy f is winning if SAT wins every play that conforms to f. Similarly, an UNSAT strategy g is winning if UNSAT wins every play that conforms to g. It is easy to show that ' is satisﬁable if and only if the SAT player has a winning strategy of the satisﬁability game for ' (and ' is unsatisﬁable if and only if the UNSAT player has a winning strategy).

For any prenex sentence ', we use ' to refer to the negation-free formula equivalent to the negation of ', obtained in the usual way. The formula ' deﬁnes a dual game, which is played as ' but with the roles of the SAT and UNSAT player reversed. It is often useful to deﬁne terminology and algorithms for the SAT player and leave the analogous deﬁnition for the UNSAT player implicit by appealing to duality. For example, rather than deﬁning UNSAT strategies explicitly, we could deﬁne an UNSAT strategy to be a SAT strategy for the dual game '. Note that, due to the completeness of the theory of linear rational arithmetic, we have:

Proposition 2.2. Let ' be a prenex sentence. UNSAT has a winning strategy for ' if and only if SAT has a winning strategy for the dual game '.

3 Strategy Skeletons

As deﬁned in 2.2, a strategy is a function that determines the next move for a player starting from any position in the game. A strategy skeleton determines a ﬁnite set of possible moves for any position. A key feature of strategy skeletons (which are formally deﬁned below) is that they are ordered: one skeleton is better than another if it associates more moves with every position. This order will be exploited by the strategy improvement algorithm in 5, that operates by proposing a sequence of increasingly better candidate strategy skeletons.

Deﬁnition 3.1 (Strategy Skeleton). Let

' = Q1x1.Q2x2. Qnxn.F be a prenex LRA sentence. A SAT strategy skeleton for ' is a ﬁnite, non-empty set S (Term [ { })n of sequences over terms plus a distinguished placeholder , where each

sequence 1 n 2 S has length n and such that for all i 2 {1, ..., n},

if Qi is 9, then i is a term and fv( i) {x1, ..., xi 1} if Qi is 8, then i is An UNSAT strategy skeleton for ' is deﬁned to be a SAT strategy skeleton for the dual game '. Example 3.2. Consider the following formula:

' , 9w.8x.9y.8z.(y < 1 _ 2w < y) (z < y _ x < z)

One possible SAT strategy skeleton for ' is:

{1 ((x + 1)/2) , 1 (x + 2) } , which is visualized as the tree to the right. This tree indicates the moves available to a SAT player who plays according to this skeleton: on turn 1, the SAT player must choose 1. On turn 2, the choice belongs to the UNSAT player (represented by the placeholder ). On turn 3, SAT may choose between (x+1)/2 and x+2 (where x is the value the UNSAT player chose in the previous turn). Turn 4 again belongs to the UNSAT player, after which the game is ﬁnished.

Similar to the way that a strategy can be interpreted as a collection of plays (the plays that conform to that strategy), a strategy skeleton can be interpreted as a collection of strategies. We make this interpretation precise by deﬁning what it means for a strategy to conform to a skeleton. Let ' = Q1x1.Q2x2. Qnxn.F be a prenex LRA sentence, and let S be a strategy skeleton for the SAT player on '. We say that a play of ' conforms to S if there exists some 1 n 2 S such that for all i 2 {1, ..., n} such that Qi is 9, we have Jxi KM = J i KM . We say that a strategy f for ' conforms to S if every play that conforms to f also conforms to S. A strategy skeleton is winning if some winning strategy conforms to it.

Winning formulas The goal of our decision procedure for LRA is to compute a winning skeleton for one of the players. The next step in developing this algorithm is to give a method for answering the question is a given candidate strategy skeleton winning? This question can be encoded into a universally quantiﬁed formula (the winning formula for the skeleton) which is satisﬁable if and only if the skeleton is winning. The intuition behind this encoding is that we may replace each existential quantiﬁer in the formula (representing the inﬁnitely many possible moves available to the SAT player) with a ﬁnite disjunction (representing the ﬁnitely many possible moves that are available to the SAT if the play must conform to the given skeleton).

Formally, we deﬁne the winning formula win(S, ') for a strategy skeleton S for the game ' recursively as follows:

win(S, 9xi. ) ,

{win(S0, )[xi 7! t] : S !t S0}

win(S, 8xi. ) , 8xi.win({ : 2 S}, )

win(S, F) , F

where we write S !t S0 iff S0 = { : t 2 S} and S0 is non-empty.

Proposition 3.3. Let ' be a formula and let S be a SAT strategy skeleton for '. There is a winning SAT strategy for the game ' that conforms to S if and only if win(S, ') is satisﬁable.

Example 3.4. Again consider the formula ' and SAT strategy skeleton from Example 3.2. The winning formula is

2 < 1 _ 2 < x + 1

_(8z.(x + 2 < 1 _ 2 < x + 2) (z < x + 2 _ x < z))

One may check that the winning formula is satisﬁable, and therefore the strategy skeleton is winning and ' is satisﬁable.

4 Counter-strategies

If a given strategy skeleton is not winning, then the opposing player has a counter-strategy skeleton that beats it (that is, the counter-strategy wins against every strategy that conforms to the given skeleton). In this section, we formalize counterstrategies and give an algorithm for synthesizing them.

Given a formula ', a SAT strategy skeleton S for ', and an UNSAT strategy skeleton U for ', we say that U is a counterstrategy for S (U beats S) if there exists a strategy f that conforms to U such that every play that conforms to both S and f is a win for UNSAT. Counter-strategies for UNSAT strategy skeletons are deﬁned similarly. We may observe the following:

Observation 4.1 (Anti-symmetry). Let S be a SAT strategy skeleton and U be an UNSAT strategy skeleton. It cannot be the case that S is a counter-strategy for U and U is a counterstrategy for S.

This kind of anti-symmetry is the key to our strategy improvement algorithm making progress. Throughout the course of the algorithm, SAT will propose a sequence of strategies S0, S1, ... and UNSAT will propose a sequence of strategies U0, U1, ..., that are arranged as follows:

U0 U1 U2 beats ( )

The inclusions S0 S1 ... (and U0 U1 ...) hold by construction: Si+1 is deﬁned to be the union of Si and a counter-strategy that beats Ui. Anti-symmetry ensures that the inclusions are strict, so that the players make progress towards a winning strategy.

We now consider the question of how counter-strategies may be synthesized. Given a formula ' and a SAT strategy S, Algorithm 1 either ﬁnds a counter-strategy to S or determines that no counter-strategy exists (that is, S is a winning strategy skeleton). (By duality, passing Algorithm 1 the formula ' and an UNSAT strategy U for ' ﬁnds a counter-strategy to U or determines that U is winning).

We explain Algorithm 1 by illustrating its operation on the formula from Example 3.2,

' , 9w.8x.9y.8z.(y < 1 _ 2w < y) (z < y _ x < z)

1 Procedure has-counter-strategy(S, ')

Input : LRA sentence ' = Q1x1 Qnxn.F,

SAT strategy S Output: Counter-strategy to S if one exists;

None if no counter-strategy exists /* Compute Herbrandized winning formula */

2 for each such that 0 2 S for some 0 do

3 herbrand[ ] fresh Herbrand constant

4 win false

5 for 2 S do

7 for i n downto 1 do

8 if Qi is 9 then

9 G G[xi 7! i]

11 G G[xi 7! herbrand[ 1 i]]

12 win win _ G /* win is the Herbrandized winning formula */

13 if win is satisﬁable then

/* Synthesize a counter-strategy for S */

14 Let M |= win

15 (U, G) css(', M, λx.?, , S) /* Alg. 2 */

16 return Counter-strategy U

/* S is a winning strategy */

18 return None Algorithm 1: Check if a strategy has a counter-strategy

using the SAT strategy S = {0 x , 0 (2x) } for '. Following the deﬁnition of win from the previous section, the winning formula for S is as follows:

8x.(8z.(x < 1 _ 0 < x) (z < x _ x < z))

_(8z.(2x < 1 _ 0 < 2x) (z < 2x _ x < z))

Algorithm 1 begins by computing a Herbrandization of this winning formula (replacing each universally quantiﬁed variable with a fresh constant symbol), so that witnesses for each quantiﬁed variable can be computed from a model of its negation (should a model exist). The auxiliary map herbrand keeps track of the symbols introduced by Herbrandization:

herbrand[0 ] herbrand[0 x ] herbrand[0 (2x) ]

= x = z1 = z2

After lines 2-12, the Herbrandized winning formula win is:

win = ((x < 1 _ 0 < x) (z1 < x _ x < z1))

_((2x < 1 _ 0 < 2x) (z2 < 2x _ x < z2))

Notice that there is only one Herbrand constant (x) corresponding to the variable x and there are two (z1 and z2) corresponding to the variable z. The intuition behind this can be illustrated by the structure of the satisﬁability game tree for ' when the SAT player conforms to S, depicted to the right. The SAT player begins the game by playing 0 for w. The UNSAT player responds by choosing a value for x (which we call x). The SAT player then has a choice to play

1 Procedure css(', M, M , , S)

Input : LRA formula ' = Qxi Qxn.F,

Valuation M : Image(herbrand) ! Q Valuation M : {x1, ..., xi 1} ! Q Path 2 (Term [ { })i 1 SAT strategy S for ' Output: (U, G), where

U is an UNSAT strategy G is a formula, and such that M |= G, and For any M 0 |= G, U beats S starting from M 0

2 if i > n then

3 return ({ }, F)

4 '0 Qi+1xi+1 Qnxn.F

5 if Qi is 8 then

6 M M {xi 7! Jherbrand[ ]KM}

7 S0 { 0 : 0 2 S}

8 (U, G) css('0, M, M , , S0)

9 t select(M , xi, G)

10 return ({t : 2 U}, G[xi 7! t])

14 for S !t S0 do

15 M t M {xi 7! Jt KM }

16 (U +, G+) css('0, M, M t, t, S0)

17 G G (G+[xi 7! t])

18 U U [ U +

19 return ({ : 2 U}, G) Algorithm 2: Counter-strategy synthesis

either the same value that UNSAT played or twice that value. For each of these two moves, the UNSAT player may choose a different value for z: z1 corresponds to UNSAT s choice in the ﬁrst case, and z2 corresponds to UNSAT s choice in the second.

After computing the Herbrandized winning formula win, Algorithm 1 checks if win is satisﬁable using an SMT solver. If win is unsatisﬁable then the procedure returns: win is satisﬁable and so S is a winning strategy skeleton (by Proposition 3.3). Otherwise, the SMT solver returns a model of win, say

M = {x 7! 2, z1 7! 2, z2 7! 3} M corresponds to an UNSAT strategy that beats S:

2 if | | = 1 2 if | | = 3 2 = 3 (left path) 3 otherwise (right path)

The next step of Algorithm 1 is to use the model M to synthesize a counter-strategy skeleton for S that generalizes the strategy g, using Algorithm 2. Algorithm 2 traverses the satisﬁability game tree pictured above: on the way down (traversing a path from the root to a leaf), it builds a valuation (M ) representing the unique play of the game where SAT conforms to and UNSAT conforms to g. Since g beats S, this play is a win for UNSAT (i.e., M |= ((y < 1 _ 2w <

y) (z < y _ x < z))). For example, given the model M above the two paths in the example give the models:

Left: {w 7! 0, x 7! 2, y 7! 2, z 7! 2} Right: {w 7! 0, x 7! 2, y 7! 4, z 7! 3}

When Algorithm 2 moves up the tree, it builds a counterstrategy skeleton U and a formula G such that:

(i) The model corresponding to the unﬁnished play is a

model of G (i.e., M |= G), and (ii) U beats S starting from any play such that M |= G. Thus, at a recursive call of Algorithm 2 of depth i, U is a counter-strategy skeleton for S playing the part of the game after the ith quantiﬁer (leaving the ﬁrst i moves ﬁxed as in M ), and G is a formula that constrains the moves before the ith quantiﬁer.

If depth i corresponds to an existential quantiﬁer, then the counter-strategy is extended by prepending the placeholder value (line 18). If depth i corresponds to a universal quantiﬁer in ', then Algorithm 2 uses a model-guided term selection function select to select an appropriate term with which to extend the counter-strategy (making conditions (i) and (ii) hold). 4.1 gives an implementation of select.

From property (ii) of Algorithm 2, we can conclude that when the call css(', M, λx.?, , S) terminates, it returns a pair (U, G) where U is a counter-strategy for S on the game ', and G is true. The ﬁnal counter-strategy U that is synthesized by Algorithm 2 on this example is pictured to the right.

Finally, we summarize the preceding discussion in the following proposition: Proposition 4.2. Let ' be a formula and let S be a strategy skeleton for '. If S is a winning strategy for ', then has-counter-strategy(S, ') returns None. If S is not winning, then has-counter-strategy(S, ') returns a strategy skeleton for the UNSAT player on ' that beats S.

4.1 Model-guided term selection This sub-section deﬁnes select, the model-guided term selection procedure used in Algorithm 2. This function is inspired by model-based projection, an under-approximate quantiﬁer elimination technique proposed in [Komuravelli et al., 2014], and the decision procedure for LRA presented in [Weispfenning, 1988] (a modiﬁcation of the one proposed in [Ferrante and Rackoff, 1975]).

Given a ground formula F, a model M |= F, and a variable x 2 fv(F), the model-guided term selection function select(M, x, F) must ﬁnd a term t such that x does not appear in t (fv(t) fv(F) \ {x}) and M |= F[x 7! t].

Observe that every atomic proposition in F that contains x can be written (after re-writing using standard arithmetical rules) in one of three forms: x = s, x < s, or s < x (where x does not appear in s). Let EQ(M, x, F) be the set of all terms s such that x = s appears in F and Jx KM = Js KM, let UB(M, x, F) be the set of all terms s such that x < s appears in F and Jx KM < Js KM, and let LB(M, x, F) be the set of

all terms s such that s < x appears in F and Js KM < Jx KM. Since (by assumption) M is a model of F, M is also a model of F[x 7! t] for any term t such that t satisﬁes the same equations, lower bounds, and upper bounds as x (i.e., Jt KM = Js KM for all s 2 EQ(M, x, F), Jt KM < Js KM for all s 2 UB(M, x, F), and Js KM < Jt KM for all s 2 LB(M, x, F)).

The procedure select(M, x, F) proceeds as follows. If EQ(M, x, F) is non-empty, then we deﬁne eq(M, x, F) to be some arbitrarily-chosen member. Otherwise, suppose that UB(M, x, F) is non-empty. Then there exists a (not necessarily unique) least upper bound u 2 UB(M, x, F) such that Ju KM Js KM for all s 2 UB(M, x, F). We let lub(M, x, F) be an arbitrarily-chosen least upper bound for x if one exists. Similarly, we deﬁne glb(M, x, F) to be an arbitrarily-chosen greatest lower bound if one exists. Finally, we deﬁne select: select(M, x, F) , 8 > > > > > > > <

> > > > > > > :

eq(M, x, F) if EQ(M, x, F) 6= ;

1 2(lub(M, x, F) + glb(M, x, F)) if UB(M, x, F) 6= ; and LB(M, x, F) 6= ; lub(M, x, F) 1 if UB(M, x, F) 6= ;

glb(M, x, F) + 1 if LB(M, x, F) 6= ;

0 otherwise The term select(M, x, F) satisﬁes the same equations, lower bounds, and upper bounds as x. As a result, we have the following lemma, which is sufﬁcient for the correctness argument of Algorithm 2 (in particular, the lemma is sufﬁcient to prove that the algorithm maintains properties (i) and (ii) above):

Lemma 4.3 (Model preservation). Suppose M |= F. Then M |= F[x 7! select(M, x, F)].

The function select also satisﬁes a ﬁnite-image property, which is crucial for the termination argument of the decision procedure for LRA that we present in the next section:

Lemma 4.4 (Finite Image). Let F be a formula and x be a variable. The set {select(M, x, F) : M |= F} is ﬁnite.

Proof. Deﬁne an equivalence relation F on valuations, where M F M 0 if and only if M and M 0 satisfy the set of same atomic propositions in F. There are ﬁnitely many equivalence classes of F (since there are ﬁnitely many atomic propositions in F), and select selects equal terms for equivalent models, and so the set {select(M, x, F) : M |= F} is ﬁnite.

5 A strategy improvement algorithm for LRA

This section describes a decision procedure for linear rational arithmetic based on strategy improvement. The algorithm is given in Algorithm 3. Given an input formula

' = Q1x1 Qnxn.F the algorithm operates as follows. First, query an SMT solver for a model of the formula F. If no model exists, then clearly ' is unsatisﬁable. If a model does exist, then we may use it to construct an initial strategy skeleton for the SAT player, similarly to the way that Algorithm 2 constructs a counterstrategy from a model (lines 4-13).

Input : LRA sentence ' = Q1x1 Qnxn.F Output: true if ' is satisﬁable, false if ' is unsatisﬁable

1 if F is unsatisﬁable then

2 return false /* Compute initial strategy for SAT */

3 Let M |= F

5 for i n downto 1 do

6 if Qi is 9 then

7 t select(M, xi, G)

8 G G[xi 7! t]

11 G G[xi 7! select(M, xi, G)]

13 S { 1 n}

/* Strategy improvement */

15 while true do

16 switch has-counter-strategy(S, ') do

17 case Counter-strategy U 0 do

18 U U [ U 0

19 otherwise do

/* No counter strategy ) S is winning */

20 return true

21 switch has-counter-strategy(U, ') do

22 case Counter strategy S0 do

23 S S [ S0

24 otherwise do

25 return false Algorithm 3: Satisﬁability modulo LRA

After constructing the initial strategy skeleton to SAT, we begin the strategy improvement phase of the algorithm, depicted in Diagram . At the start of the loop, we have a SAT strategy skeleton S and an UNSAT strategy skeleton U, such that S beats U (or U is empty). First, we try to synthesize a counter-strategy to S. If counter-strategy synthesis fails, the algorithm terminates: S is a winning strategy, so ' is satisﬁable. If has-counter-strategy does synthesize a counterstrategy, it is added to the candidate UNSAT strategy U (improving it). Next, we repeat this process for the candidate UNSAT strategy U, and either terminate upon proving that U is a winning strategy or ﬁnd a counter-strategy with which to improve S and continue looping.

Algorithm 3 returns true only when it has synthesized a SAT strategy skeleton for which the winning formula is satisﬁable (i.e., the negation of its winning formula is unsatisﬁable), and returns false only when it has synthesized an UNSAT strategy skeleton for which the winning formula is satisﬁable. Thus, partial correctness of Algorithm 3 is an immediate corollary of Proposition 3.3: if Algorithm 3 returns true, then ' is satisﬁable, and if Algorithm 3 returns false, then ' is unsatisﬁable.

The termination argument for Algorithm 3 is based on two properties: progress (as the algorithm progresses, the strategy skeleton S is strictly increasing), and ﬁniteness (there is a ﬁnite bound on the size of S). The progress argument

(mentioned in 4) comes from the anti-symmetry property of counter-strategies (Observation 4.1). The ﬁniteness argument is by induction on quantiﬁer depth. The base case is by Lemma 4.4. If we assume that the ﬁniteness condition holds for all strategies for a given formula ' of depth n, then we prove the same holds for depth n + 1 by arguing that the algorithm computes the ﬁrst move of the game by calling select(M, x, F), where F is some formula obtained by substituting terms from a counter-strategy of depth n into a negated, Hebrandized winning formula of strategy of depth n, M is a model of F, and x is the variable associated with the ﬁrst move of the game. By the induction hypothesis, the set of all possible such F is ﬁnite, so by Lemma 4.4, the set of terms that could be selected for x is ﬁnite, and thus the set of skeletons is ﬁnite.

Combining the above arguments for partial correctness and termination, we close the section with the following theorem:

Theorem 5.1. Algorithm 3 is a decision procedure for LRA.

6 Beyond LRA

The focus of this article is satisﬁability in the theory of linear rational arithmetic, but the core ideas behind the strategy improvement algorithm can be extended to other theories. This section discusses what we require of a theory in order to apply our algorithm.

There are three assumptions on the theory that must be met in order to use strategy improvement as a decision procedure.

1. The quantiﬁer-free fragment of the theory in question

must be decidable, and models for satisﬁable formulas must be effectively constructable.

2. The theory must be complete. This is required because

Algorithm 3 checks that the (universally quantiﬁed) winning formula for a skeleton is satisﬁable by checking that its (existentially quantiﬁed) negation is unsatisﬁable.

3. The theory admits a model-guided term selection func-

tion that is model-preserving (Lemma 4.3) and has ﬁnite images (Lemma 4.4).

Thus, the design work involved in extending the strategy improvement algorithm to a new theory is in devising a term selection function. In fact, condition 3 can be weakened slightly to require only that a theory admits a modelguided virtual term selection function. A virtual term is a term that does not belong to the theory in question, but which may be evaluated in any model of the theory and for which substitution is theory-deﬁnable. Section 6.1 gives a term selection function (based on ideas from [Cooper, 1972; Komuravelli et al., 2014]) for linear integer arithmetic that makes use of such virtual terms.

Remark 6.1. It is worth noting that our requirements for virtual terms are stronger than ones usually employed by quantiﬁer elimination procedures [Cooper, 1972; Loos and Weispfenning, 1993; Komuravelli et al., 2014; Bjørner and Janota, 2015]. For example, the LIA quantiﬁer elimination procedure from [Cooper, 1972] makes use of the virtual term 1, which does not meet our requirements because it cannot be evaluated in the standard model of the integers.

We leave the development of term selection functions for other theories as a promising direction for future work.

6.1 Term selection for Linear Integer Arithmetic Linear integer arithmetic is an important theory for application in program analysis and veriﬁcation. The syntax of LIA is the same as for LRA, except that constants are integers, and the language is extended with divisibility predicates a|t (where a 2 Z is a positive integer and t is a term). In the remainder of the section we will develop a virtual term selection function for linear integer arithmetic.

First we deﬁne virtual terms and virtual substitution. We consider virtual terms of the form bt/ac + b, where t is a term with fv(t) fv(F) \ {x}, a 2 Z is a positive integer, and b 2 Z is an integer. The syntax of LIA does not admit integral division bt/ac, so virtual terms do not belong to the syntax of LIA. However, integral division can be interpreted in any valuation (Jbt/ac KM is well-deﬁned), and for any formula ', variable x, and virtual term bt/ac + b, we can perform a virtual substitution that yields a formula equivalent to '[x 7! bt/ac + b] but which belongs to the syntax of LIA: Deﬁnition 6.2 (Virtual Substitution). Let ' be a formula, x be a variable, and bt/ac + b be a virtual term. Without loss of generality, we assume that every atomic proposition in ' in which x appears takes one of the following forms:

cx < s s < cx d|cx + s where s denotes a term with x /2 fv(s) and c and d denote positive integers. (Note that the equality symbol is not needed because s = s0 may be replaced by s < s0 + 1 s0 < s + 1.)

We deﬁne the virtual subsitution '[x bt/ac + b] to be the formula obtained by renaming the bound variables in ' to avoid capture and replacing each atomic proposition in ' in which x appears as follows:

a|(t i) c(t i + ab) < as

a|(t i) as < c(t i + ab)

d|cx + s 7!

a|(t i) ad|c(t i + ab) + as

The development of the previous three sections can be repeated with virtual terms and virtual subsitution in place of terms and classical substitution. The only thing that remains to extend the strategy improvement algorithm to LIA is to deﬁne a virtual term selection function vselect that satisﬁes the model preservation and ﬁnite image properties.

Let F be a LIA formula, let M |= F be a model, and let x be a variable. We require vselect(M, x, F) to satisfy the model preservation property

M |= F[x vselect(M, x, F)] . Since F is negation-free, it is sufﬁcient for model preservation to hold on all the atomic propositions of F that contain x. Observe that every atomic propsition in F that contains x can be written in one of three forms: (cx < s), (s < cx), or (d|cx + s) (where x does not appear in s). Let UB(M, x, F)

be the set of all atoms (cx < s) that appear in F such that c Jx KM < Js KM, let LB(M, x, F) be the set of all atoms (s < cx) that appear in F such that Js KM < c Jx KM, and let Div(M, x, F) be the set of all divisibility atoms (d|cx+s) in F such that d divides Jcx + s KM.

First we consider the constraints that the divisibility atoms Div(M, x, F) place on vselect(M, x, F). Let (d|cx + s) 2 Div(M, x, F). Observe that for any integer z 2 Z,

d|cz + Js KM () cz c Jx KM mod d

() z Jx KM mod (d/ gcd(|c|, d))

Thus, the divisibility atom (d|cx + s) is satisﬁed so long as

Jvselect(M, x, F)KM Jx KM mod (d/ gcd(|c|, d)) . To collect all such divisibility constraints into one, we deﬁne

(M, x, F) , lcm{ d gcd(|c|,d) : (d|cx + s) 2 Div(M, x, F)} and require that

Jvselect(M, x, F)KM Jx KM mod (M, x, F) . Next, we consider the constraints that the upper bound atoms UB(M, x, F) place on vselect(M, x, F). Suppose that UB(M, x, F) is non-empty. Then there exists a term t, a positive integer a, and non-negative integer b less than (M, x, F) such that:

1. (ax < t) 2 UB(M, x, F),

2. Jb(t 1)/ac b KM Jx KM mod (M, x, F), and

3. For any other t0, a0, b0 with the above properties, we have

Jb(t 1)/ac b KM Jb(t0 1)/a0c b0KM.

We deﬁne lub(M, x, F) to be a virtual term b(t 1)/ac b satisfying these three properties (picking one arbitrarily if there are several choices). Property 2 ensures that lub(M, x, F) satisﬁes all divisibility constraints in Div(M, x, F) and property 3 ensures that lub(M, x, F) satisﬁes all upper bound constraints UB(M, x, F). Property 2 and the fact that b is less than (M, x, F) implies that Jx KM Jlub(M, x, F)KM, and so lub(M, x, F) also satisﬁes all lower bound constraints. However, if UB(M, x, F) is empty, we need to consider lower bound constraints explicitly, so we deﬁne glb(M, x, F) analogously to glb(M, x, F) if LB(M, x, F) is non-empty. Finally, we deﬁne vselect: vselect(M, x, F) , 8 <

lub(M, x, F) if UB(M, x, F) 6= ; glb(M, x, F) if LB(M, x, F) 6= ; Jx KM mod (M, x, F) otherwise The argument that the ﬁnite image property holds for vselect is the same as the one for select (Lemma 4.4).

7 Experimental Evaluation

We have implemented Algorithm 3 in a prototype tool called SIMSAT. The tool is implemented in OCaml and uses Z3 to solve ground formulas [De Moura and Bjørner, 2008].

Comparison with related techniques Heuristic quantiﬁer instantiation is a sound but incomplete technique that is commonly used to handle quantiﬁers in SMT solvers [De Moura and Bjørner, 2007; Ge et al., 2007]. Our

Time (seconds)

Instances Solved

CVC4 Z3 SIMSAT

2272 0 2134 1798

Figure 1: Distribution of run-time over solved instances

experimental evaluation compares with the experimental conﬁguration of CVC4 [Barrett et al., 2011], which won the LRA category in the 2015 SMT competition. CVC4 uses a portfolio of quantiﬁer instantiation techniques.

Bjørner and Janota recently developed a decision procedure for LRA (as well as other theories) that is based on the intuition of satisﬁability games [Bjørner and Janota, 2015]. Conceptually, their procedure solves satisﬁability games by exploring the game tree in a forwards direction. The SAT and UNSAT player take turns instantiating quantiﬁers until one of them loses, and then backjumps to an earlier quantiﬁcation level and learns a blocking clause to remove a part of the search space that will result in a loss for that player. In contrast, in Algorithm 3, players take turns synthesizing strategies for the entire game, rather than synthesizing the next move. Algorithm 3 requires solving larger formulas (corresponding to the whole game), but the payoff is a more global perspective of the game.

Dutertre developed an efﬁcient algorithm for solving 9 8 in the theory of linear rational arithmetic [Dutertre, 2015]. At a high level, Dutertre s algorithm operates similarly to Algorithm 3 when restricted to the 9 8 fragment. Dutertre uses a term selection function similar to the one in 4.1, but with some interesing heuristic improvements (that do not extend to the case of arbitrary quantiﬁcation in an obvious way).

Monniaux developed a lazy quantiﬁer elimination algorithm for LRA formulas with alternating quantiﬁers that is based on geometric quantiﬁer elimination (polyhedra projection) [Monniaux, 2010]. This algorithm was implemented in a satisﬁability procedure in Z3 [Phan et al., 2012]. The experimental evaluation in [Bjørner and Janota, 2015] shows that Bjørner and Janota s algorithm outperforms lazy quantiﬁer elimination, so we omit it from our evaluation.

Results We evaluated SIMSAT on a suite of benchmarks drawn from SMT-LIB2 [Barrett et al., 2010] and Mjollnir [Monniaux, 2010]. The experimental evaluation was performed on a Linux machine with Intel Core i5 2.80GHz processors and 4GB of memory. The time limit was set to 300 seconds.

The table below summarizes the number of solved prob-

Winning Formula Size

Formula Size

0 600 1200 1800 2400 3000

Industrial Random Timeout Random

Figure 2: Formula size vs. Winning formula size

lem instances by each tool. The results are divided into three categories: industrial benchmarks (from SMT-LIB2) with an 9 8 quantiﬁer preﬁx, industrial benchmarks (from SMTLIB2) with a non-9 8 quantiﬁer preﬁx (all of which happened to have a quantiﬁer preﬁx of the form 9 89), and random benchmarks (from both SMT-LIB2 and Mjollnir). SIMSAT, Z3 (implementing the algorithm from [Bjørner and Janota, 2015]), CVC4, and Yices (implementing the algorithm from [Dutertre, 2015]) all solve all industrial 9 8 benchmarks (all tools have a mean running time of less than 0.01 seconds). On the remaining industrial benchmarks, SIMSAT and Z3 solve all instances (SIMSAT mean time 1 second, Z3 mean time 0.02 seconds) while CVC4 solves 83%. On the random benchmarks, SIMSAT dominates (93%), followed by Z3 (86%) and CVC4 (71%).

SIMSAT Z3 CVC4 YICES Industrial 9 8 (247) 247 247 247 247 Industrial 9 89 (144) 144 144 119 Random (2030) 1881 1743 1432

The distribution of running times of the three tools across random benchmarks is depicted in the cactus plot in Figure 1 (a point (x, y) in the plot represents that x instances are solved in y seconds). Note that SIMSAT can solve in 5.3s as many instances as Z3 can solve in 300s.

Figure 2 plots the size of input formulas against the size of the winning formula for the winning strategy computed by SIMSAT (or the last candidate strategy if SIMSAT did not terminate within 300 seconds). Formula size is measured as the number of nodes in a DAG representation of the formula. For legibility, the plot truncates input formula size at 3000 and the winning formula size at 50000. Note that on the industrial benchmarks, the relationship between input formula size and winning formula size is linear. Linear integer arithmetic We also evaluated SIMSAT as a decision proecedure for linear integer arithmetic, using the virtual term selection procedure described in 6. The benchmarks are drawn from SMT-LIB2 and randomly generated benchmarks. The table below summarizes the number of solved problem instances by each tool (excluding Yices,

which does not implement an LIA solver). SIMSAT and Z3 both solve all industrial instances (SIMSAT mean time 1.2 seconds, Z3 mean time 0.1 seconds), while CVC4 solves 59%. On the random benchmarks, SIMSAT solves the most instances (71%), followed by CVC4 (70%) and Z3 (58%).

SIMSAT Z3 CVC4 Industrial (390) 390 390 231 Random (300) 212 174 211

8 Conclusion

This article presents a decision procedure for the theory of linear arithmetic based on strategy improvement for satisﬁability games. There are several avenues for future work in this direction. The strategy improvement algorithm is very sensitive to model selection, so it would be interesting to experiment with heuristics for different models of ground formulas. Another promising direction is to extend the strategy synthesis algorithm to other decidable theories, such as the theory of algebraic data types. Another direction is to investigate uses for the strategy synthesis capability of the algorithm: just as there are many applications for models of ground formulas, we believe there may be interesting uses for winning strategies of quantiﬁed formulas.

[Barrett et al., 2010] Clark Barrett, Aaron Stump, and Ce-

sare Tinelli. The Satisﬁability Modulo Theories Library (SMT-LIB). www.SMT-LIB.org, 2010.

[Barrett et al., 2011] Clark Barrett, Christopher L Conway,

Morgan Deters, Liana Hadarean, Dejan Jovanovi c, Tim King, Andrew Reynolds, and Cesare Tinelli. Cvc4. In CAV, pages 171 177, 2011.

[Bjørner and Janota, 2015] Nikolaj Bjørner and Mikolas Janota. Playing with quantiﬁed satisfaction. In LPAR, 2015.

[Cooper, 1972] David C Cooper. Theorem proving in arith-

metic without multiplication. Machine Intelligence, 7(9199), 1972.

[De Moura and Bjørner, 2007] Leonardo De Moura and Nikolaj Bjørner. Efﬁcient E-matching for SMT solvers. In CADE, pages 183 198. 2007.

[De Moura and Bjørner, 2008] Leonardo De Moura and Nikolaj Bjørner. Z3: An efﬁcient SMT solver. In TACAS, pages 337 340, 2008.

[Dutertre, 2014] Bruno Dutertre. In CAV, pages 737 744, 2014.

[Dutertre, 2015] Bruno Dutertre. Solving exists/forall prob-

lems with Yices. In Workshop on Satisﬁability Modulo Theories, 2015.

[Ferrante and Rackoff, 1975] Jeanne Ferrante and Charles

Rackoff. A decision procedure for the ﬁrst order theory of real addition with order. SIAM Journal on Computing, 4(1):69 76, 1975.

[Ge et al., 2007] Yeting Ge, Clark Barrett, and Cesare Tinelli. Solving quantiﬁed veriﬁcation conditions using satisﬁability modulo theories. In CADE, pages 167 182. 2007. [Ghilardi and Ranise, 2010] Silvio Ghilardi and Silvio Ranise. MCMT: A model checker modulo theories. In Automated Reasoning, pages 22 29. 2010. [Hintikka, 1982] Jaakko Hintikka. Game-theoretical seman-

tics: insights and prospects. Notre Dame Journal of Formal Logic Notre-Dame, Ind., 23(2):219 241, 1982. [Janota et al., 2012] Mikol aˆs Janota, William Klieber, Joao

Marques-Silva, and Edmund Clarke. Solving QBF with counterexample guided reﬁnement. In SAT, pages 114 128. 2012. [Komuravelli et al., 2014] Anvesh Komuravelli, Arie Gurﬁnkel, and Sagar Chaki. SMT-based model checking for recursive programs. In CAV, pages 17 34, 2014. [Kov acs and Voronkov, 2013] Laura Kov acs and Andrei Voronkov. First-order theorem proving and Vampire. In CAV, pages 1 35, 2013. [Loos and Weispfenning, 1993] R udiger Loos and Volker

Weispfenning. Applying linear quantiﬁer elimination. The Computer Journal, 36(5):450 462, 1993. [Monniaux, 2010] David Monniaux. Quantiﬁer elimination

by lazy model enumeration. In CAV, pages 585 599, 2010. [Phan et al., 2012] Anh-Dung Phan, Nikolaj Bjørner, and

David Monniaux. Anatomy of alternating quantiﬁer satisﬁability (work in progress). In Workshop on Satisﬁability Modulo Theories, page 6, 2012. [Reynolds et al., 2015] Andrew Reynolds, Morgan Deters,

Viktor Kuncak, Cesare Tinelli, and Clark Barrett. Counterexample-guided quantiﬁer instantiation for synthesis in SMT. In CAV, pages 198 216. 2015. [Schulz, 2013] Stephan Schulz. System Description: E 1.8.

In LPAR, pages 735 743, 2013. [Solar-Lezama et al., 2006] Armando Solar-Lezama, Liviu

Tancau, Rastislav Bodik, Sanjit Seshia, and Vijay Saraswat. Combinatorial sketching for ﬁnite programs. In ASPLOS, pages 404 415, 2006. [Solar-Lezama, 2008] Armando Solar-Lezama. Program synthesis by sketching. Ph D thesis, University of California, Berkeley, 2008. [Weispfenning, 1988] Volker Weispfenning. The complexity

of linear problems in ﬁelds. Journal of Symbolic Computation, 5(1):3 27, 1988. [Zhang, 2006] Lintao Zhang. Solving QBF with combined

conjunctive and disjunctive normal form. In AAAI, 2006.