Model Generation for Quantified Formulas: A TaintBased Approach
Abstract
We focus in this paper on generating models of quantified firstorder formulas over builtin theories, which is paramount in software verification and bug finding. While standard methods are either geared toward proving the absence of a solution or targeted to specific theories, we propose a generic and radically new approach based on a reduction to the quantifierfree case. Our technique thus allows to reuse all the efficient machinery developed for that context. Experiments show a substantial improvement over stateoftheart methods.
1 Introduction
Context. Software verification methods have come to rely increasingly on reasoning over logical formulas modulo theory. In particular, the ability to generate models (i.e., find solutions) of a formula is of utmost importance, typically in the context of bug finding or intensive testing—symbolic execution [21] or bounded model checking [7]. Since quantifierfree firstorder formulas on wellsuited theories are sufficient to represent many reachability properties of interest, the Satisfiability Modulo Theory (SMT) [6, 25] community has primarily dedicated itself to designing solvers able to efficiently handle such problems.
Yet, universal quantifiers are sometimes needed, typically when considering preconditions or code abstraction. Unfortunately, most theories handled by SMTsolvers are undecidable in the presence of universal quantifiers. There exist dedicated methods for a few decidable quantified theories, such as Presburger arithmetic [9] or the array property fragment [8], but there is no general and effective enough approach for the model generation problem over universally quantified formulas. Indeed, generic solutions for quantified formulas involving heuristic instantiation and refutation are best geared to proving the unsatisfiability of a formula (i.e., absence of solution) [13, 20], while recent proposals such as local theory extensions [2], finite instantiation [31, 32] or modelbased instantiation [20, 29] either are too narrow in scope, or handle quantifiers on free sorts only, or restrict themselves to finite models, or may get stuck in infinite refinement loops.
Goal and Challenge. Our goal is to propose a generic and efficient approach to the model generation problem over arbitrary quantified formulas with support for theories commonly found in software verification. Due to the huge effort made by the community to produce stateoftheart solvers for quantifierfree theories ( QF solvers), it is highly desirable for this solution to be compatible with current leading decision procedures, namely SMT approaches.
Proposal. Our approach turns a quantified formula into a quantifierfree formula with the guarantee that any model of the latter contains a model of the former. The benefits are threefold: the transformed formula is easier to solve, it can be sent to standard QFsolvers, and a model for the initial formula is deducible from a model of the transformed one. The idea is to ignore quantifiers but strengthen the quantifierfree part of the formula with an independence condition constraining models to be independent from the (initially) quantified variables.

We propose a novel and generic framework for model generation of quantified formula (Sect. 5, Algorithm 1) relying on the inference of sufficient independence condition (Sect. 4). We prove its correctness (Theorem 1, mechanized in Coq) and its efficiency under reasonable assumptions (Propositions 4 and 5). Especially our approach implies only a linear overhead in the formula size. We also briefly study its completeness, related to the notion of weakest independence condition.

We define a taintbased procedure for the inference of independence conditions (Sect. 5.2), composed of a theoryindependent core (Algorithm 2) together with theorydependent refinements. We propose such refinements for a large class of operators (Sect. 6.2), encompassing notably arrays and bitvectors.

Finally, we present a concrete implementation of our method specialized on arrays and bitvectors (Sect. 7). Experiments on SMTLIB benchmarks and software verification problems notably demonstrate that we are able not only to very effectively lift quantifierfree decision procedures to the quantified case, but also to supplement recent advances, such as finite or modelbased quantifier instantiation [20, 29, 31, 32]. Indeed, we concretely supply SMT solvers with the ability to efficiently address an extended set of software verification questions.
While techniques a la Ematching allow to lift quantifierfree solvers to the unsatisfiability checking of quantified formulas, this works provides a mechanism to lift them to the satisfiability checking and model generation of quantified formulas, yielding a more symmetric handling of quantified formulas in SMT. This new approach paves the way to future developments such as the definition of more precise inference mechanisms of independence conditions, the identification of interesting subclasses for which inferring weakest independence conditions is feasible, and the combination with other quantifier instantiation techniques.
2 Motivation
Reduction to the QuantifierFree Case Through Independence. We propose to ignore the universal quantification over x, but restrict models to those which do not depend on x. For example, model \(\{\mathtt {a}=1, \mathtt {x}=1, \mathtt {b}=0\}\) does depend on x, as taking \(x=0\) invalidates the formula, while model \(\left\{ \mathtt {a}=0, \mathtt {x}=1, \mathtt {b}=1\right\} \) is independent of x. We call constraint \(\psi \triangleq (a=0)\) an independence condition: any interpretation of \(\phi \) satisfying \(\psi \) will be independent of x, and therefore a model of \(\phi \wedge \psi \) will give us a model of \(\phi _{\forall }\).
Inference of Independence Conditions Through Tainting. Figure 1 details in its right part a way to infer such independence conditions. Given a quantified reachability condition (1), we first associate to every variable v a (boolean) taint variable \(v^\bullet \) indicating whether the solution may depend on v (value \(\top \)) or not (value \(\bot \)). Here, \(x^\bullet \) is set to \(\bot \), \(a^\bullet \) and \(b^\bullet \) are set to \(\top \) (2). An independence condition (3)—a formula modulo theory—is then constructed using both initial and taint variables. We extend taint constraints to terms, \(t^\bullet \) indicating here whether t may depend on x or not, and we require the toplevel term (i.e., the formula) to be tainted to \(\top \) (i.e., to be indep. from x). Condition (3) reads as follows: in order to enforce that \((ax+b>0)^\bullet \) holds, we enforce that \((ax)^\bullet \) and \(b^\bullet \) hold, and for \((ax)^\bullet \) we require that either \(a^\bullet \) and \(x^\bullet \) hold, or \(a^\bullet \) holds and \(a=0\) (absorbing the value of x), or the symmetric case. We see that \(\cdot ^\bullet \) is defined recursively and combines a systematic part (if \(t^\bullet \) holds then \(f(t)^\bullet \) holds, for any f) with a theorydependent part (here, based on \(\times \)). After simplifications (4), we obtain \(a=0\) as an independence condition (5) which is adjoined to the reachability condition freed of its universal quantification (6). A QFsolver provides a model of (6) (e.g., \(\left\{ \mathtt {a}=0,\mathtt {b}=1,\mathtt {x}=5 \right\} \)), lifted into a model of (1) by discarding the valuation of x (e.g., \(\left\{ \mathtt {a}=0,\mathtt {b}=1 \right\} \)).
In this specific example the inferred independence condition (5) is the most generic one and (1) and (6) are equisatisfiable. Yet, in general it may be an underapproximation, constraining the variables more than needed and yielding a correct but incomplete decision method: a model of (6) can still be turned into a model of (1), but (6) might not have a model while (1) has.
3 Notations
We consider the framework of manysorted firstorder logic with equality, and we assume standard definitions of sorts, signatures and terms. Given a tuple of variables \(\varvec{x} \triangleq \left( x_1,\dots ,x_n\right) \) and a quantifier \(\mathcal {Q}\) (\(\forall \) or \(\exists \)), we shorten \(\mathcal {Q}{x_1}\dots \mathcal {Q}{x_n}.\varPhi \) as \(\mathcal {Q}\varvec{x}.\varPhi \). A formula is in prenex normal form if it is written as \(\mathcal {Q}_1{\varvec{x}_1}\dots \mathcal {Q}_n{\varvec{x}_n}.\varPhi \) with \(\varPhi \) a quantifierfree formula. A formula is in Skolem normal form if it is in prenex normal form with only universal quantifiers. We write \(\varPhi \left( \varvec{x}\right) \) to denote that the free variables of \(\varPhi \) are in \(\varvec{x}\). Let \(\varvec{t}\triangleq \left( t_1,\dots ,t_n\right) \) be a term tuple, we write \(\varPhi \left( \varvec{t}\right) \) for the formula obtained from \(\varPhi \) by replacing each occurrence of \(x_i\) in \(\varPhi \) by \(t_i\). An interpretation \(\mathcal {I}\) associates a domain to each sort of a signature and a value to each symbol of a formula, and \(\llbracket \varDelta \rrbracket _{\mathcal {I}}\) denotes the evaluation of term \(\varDelta \) over \(\mathcal {I}\). A satisfiability relation \(\models \) between interpretations and formulas is defined inductively as usual. A model of \(\varPhi \) is an interpretation \(\mathcal {I}\) satisfying \(\mathcal {I}\models \varPhi \). We sometimes refer to models as “solutions”. Formula \(\varPsi \) entails formula \(\varPhi \), written \(\varPsi \models \varPhi \), if every interpretation satisfying \(\varPsi \) satisfies \(\varPhi \) as well. Two formulas are equivalent, denoted \(\varPsi \equiv \varPhi \), if they have the same models. A theory \(\mathcal {T}\triangleq \left( \varSigma ,\varvec{\mathcal {I}}\right) \) restricts symbols in \(\varSigma \) to be interpreted in \(\varvec{\mathcal {I}}\). The quantifierfree fragment of \(\mathcal {T}\) is denoted QF\(\mathcal {T}\).
Convention. Letters \(a,b,c\dots \) denote uninterpreted symbols and variables. Letters \(x,y,z\dots \) denote quantified variables. \(\varvec{a},\varvec{b},\varvec{c}\) denote sets of uninterpreted symbols. \(\varvec{x},\varvec{y},\varvec{z}\dots \) denote sets of quantified variables. Finally, \(\mathtt {a},\mathtt {b},\mathtt {c}\dots \) denote valuations of associated (sets of) symbols.
In the rest of this paper, we assume w.l.o.g. that all formulas are in Skolem normal form. Recall that any formula \(\phi \) in classical logic can be normalized into a formula \(\psi \) in Skolem normal form such that any model of \(\phi \) can be lifted into a model of \(\psi \), and vice versa. This strong relation, much closer to formula equivalence than to formula equisatisfiability, ensures that our correctness and completeness results all along the paper hold for arbitrarily quantified formula.
Companion Technical Report. Additional technical details (proofs, experiments, etc.) are available online at http://benjamin.farinier.org/cav2018/.
4 Musing with Independence
4.1 Independent Interpretations, Terms and Formulas
A solution \((\mathtt {x},\mathtt {a})\) of \(\varPhi \) does not depend on \(\varvec{x}\) if \(\varPhi (\varvec{x},\varvec{a})\) is always true or always false, for all possible valuations of \(\varvec{x}\) as long as \(\varvec{a}\) is set to \(\mathtt {a}\). More formally, we define the independence of an interpretation of \(\varPhi \) w.r.t. \(\varvec{x}\) as follows:
Definition 1

Let \(\varPhi \left( \varvec{x},\varvec{a}\right) \) a formula with free variables \(\varvec{x}\) and \(\varvec{a}\). Then an interpretation \(\mathcal {I}\) of \(\varPhi \left( \varvec{x},\varvec{a}\right) \) is independent of \(\varvec{x}\) if for all interpretations \(\mathcal {J}\) equal to \(\mathcal {I}\) except on \(\varvec{x}\), \(\mathcal {I}\models \varPhi \) if and only if \(\mathcal {J}\models \varPhi \).

Let \(\varDelta \left( \varvec{x},\varvec{a}\right) \) a term with free variables \(\varvec{x}\) and \(\varvec{a}\). Then an interpretation \(\mathcal {I}\) of \(\varDelta \left( \varvec{x},\varvec{a}\right) \) is independent of \(\varvec{x}\) if for all interpretations \(\mathcal {J}\) equal to \(\mathcal {I}\) except on \(\varvec{x}\), \(\llbracket \varDelta \left( \varvec{x},\varvec{a}\right) \rrbracket _{\mathcal {I}} = \llbracket \varDelta \left( \varvec{x},\varvec{a}\right) \rrbracket _{\mathcal {J}}\).
Regarding formula \({ax+b>0}\) from Fig. 1, \(\left\{ {a=0}, {b=1}, {x=1} \right\} \) is independent of x while \(\left\{ {a=1}, {b=0}, {x=1} \right\} \) is not. Considering term \(\left( t\left[ {a}\leftarrow {b} \right] \right) [c]\), with t an array written at index a then read at index c, \(\left\{ {a=0}, {b=42}, {c=0}, {t=\left[ \dots \right] } \right\} \) is independent of t (evaluates to 42) while \(\left\{ {a=0}, {b=1}, {c=2}, {t=\left[ \dots \right] } \right\} \) is not (evaluates to \(t\left[ 2\right] \)). We now define independence for formulas and terms.
Definition 2

Let \(\varPhi \left( \varvec{x},\varvec{a}\right) \) a formula with free variables \(\varvec{x}\) and \(\varvec{a}\). Then \(\varPhi \left( \varvec{x},\varvec{a}\right) \) is independent of \(\varvec{x}\) if \(\forall \varvec{x}.\forall \varvec{y}. \left( \varPhi \left( \varvec{x},\varvec{a}\right) \Leftrightarrow \varPhi \left( \varvec{y},\varvec{a}\right) \right) \) is true for any value of \(\varvec{a}\).

Let \(\varDelta \left( \varvec{x},\varvec{a}\right) \) a term with free variables \(\varvec{x}\) and \(\varvec{a}\). Then \(\varDelta \left( \varvec{x},\varvec{a}\right) \) is independent of \(\varvec{x}\) if \(\forall \varvec{x}.\forall \varvec{y}. \left( \varDelta \left( \varvec{x},\varvec{a}\right) = \varDelta \left( \varvec{y},\varvec{a}\right) \right) \) is true for any value of \(\varvec{a}\).
Definition 2 of formula and term independence is far stronger than Definition 1 of interpretation independence. Indeed, it can easily be checked that if a formula \(\varPhi \) (resp. a term \(\varDelta \)) is independent of \(\varvec{x}\), then any interpretation of \(\varPhi \) (resp. \(\varDelta \)) is independent of \(\varvec{x}\). However, the converse is false as formula \(ax+b>0\) is not independent of x, but has an interpretation \(\left\{ {a=0},{b=1},{x=1}\right\} \) which is.
4.2 Independence Conditions
Since it is rarely the case that a formula (resp. term) is independent from a set of variables \(\varvec{x}\), we are interested in Sufficient Independence Conditions. These conditions are additional constraints that can be added to a formula (resp. term) in such a way that they make the formula (resp. term) independent of \(\varvec{x}\).
Definition 3

A Sufficient Independence Condition for a formula \(\varPhi \left( \varvec{x},\varvec{a}\right) \) with regard to \(\varvec{x}\) is a formula \(\varPsi \left( \varvec{a}\right) \) such that \(\varPsi \left( \varvec{a}\right) \models ({\forall \varvec{x}.\forall \varvec{y}. \varPhi \left( \varvec{x},\varvec{a}\right) \Leftrightarrow \varPhi \left( \varvec{y},\varvec{a}\right) })\).

A Sufficient Independence Condition for a term \(\varDelta \left( \varvec{x},\varvec{a}\right) \) with regard to \(\varvec{x}\), is a formula \(\varPsi \left( \varvec{a}\right) \) such that \(\varPsi \left( \varvec{a}\right) \models ({\forall \varvec{x}.\forall \varvec{y}. \varDelta \left( \varvec{x},\varvec{a}\right) = \varDelta \left( \varvec{y},\varvec{a}\right) })\).
We denote by \(\textsc {sic}_{\varPhi ,\varvec{x}}\) (resp. \(\textsc {sic}_{\varDelta ,\varvec{x}}\)) a Sufficient Independence Condition for a formula \(\varPhi \left( \varvec{x},\varvec{a}\right) \) (resp. for a term \(\varDelta \left( \varvec{x},\varvec{a}\right) \)) with regard to \(\varvec{x}\). For example, \(a=0\) is a \(\textsc {sic}_{\varPhi ,x}\) for formula \(\varPhi \triangleq {ax+b>0}\), and \(a=c\) is a \(\textsc {sic}_{\varDelta ,t}\) for term \(\varDelta \triangleq \left( t\left[ {a}\leftarrow {b}\right] \right) [c]\). Note that \(\bot \) is always a sic, and that sic are closed under \(\wedge \) and \(\vee \). Proposition 1 clarifies the interest of sic for model generation.
Proposition 1
(Model generalization). Let \(\varPhi \left( \varvec{x},\varvec{a}\right) \) a formula and \(\varPsi \) a \(\textsc {sic}_{\varPhi ,\varvec{x}}\). If there exists an interpretation \(\left\{ \mathtt {x},\mathtt {a}\right\} \) such that \(\left\{ \mathtt {x},\mathtt {a}\right\} \models \varPsi \left( \varvec{a}\right) \wedge \varPhi \left( \varvec{x},\varvec{a}\right) \), then \(\left\{ \mathtt {a}\right\} \models \forall \varvec{x}.\varPhi \left( \varvec{x},\varvec{a}\right) \).
Proof
(sketch of). Appendix C.1 of the companion technical report.
For the sake of completeness, we introduce now the notion of Weakest Independence Condition for a formula \(\varPhi \left( \varvec{x},\varvec{a}\right) \) with regard to \(\varvec{x}\) (resp. a term \(\varDelta \left( \varvec{x},\varvec{a}\right) \)). We will denote such conditions \(\textsc {wic}_{\varPhi ,\varvec{x}}\) (resp. \(\textsc {wic}_{\varDelta ,\varvec{x}}\)).
Definition 4

A Weakest Independence Condition for a formula \(\varPhi \left( \varvec{x},\varvec{a}\right) \) with regard to \(\varvec{x}\) is a \(\textsc {sic}_{\varPhi ,\varvec{x}}\) \(\varPi \) such that, for any other \(\textsc {sic}_{\varPhi ,\varvec{x}}\) \(\varPsi \), \(\varPsi \models \varPi \).

A Weakest Independence Condition for a term \(\varDelta \left( \varvec{x},\varvec{a}\right) \) with regard to \(\varvec{x}\) is a \(\textsc {sic}_{\varDelta ,\varvec{x}}\) \(\varPi \) such that, for any other \(\textsc {sic}_{\varDelta ,\varvec{x}}\) \(\varPsi \), \(\varPsi \models \varPi \).
Note that \(\varOmega \triangleq \forall \varvec{x}.\forall \varvec{y}. \left( \varPhi \left( \varvec{x},\varvec{a}\right) \Leftrightarrow \varPhi \left( \varvec{y},\varvec{a}\right) \right) \) is always a \(\textsc {wic}_{\varPhi ,\varvec{x}}\), and any formula \(\varPi \) is a \(\textsc {wic}_{\varPhi ,\varvec{x}}\) if and only if \(\varPi \equiv \varOmega \). Therefore all syntactically different wic have the same semantics. As an example, both sic \(a=0\) and \(a=c\) presented earlier are \(\textsc {wic}\). Proposition 2 emphasizes the interest of wic for model generation.
Proposition 2
(Model specialization). Let \(\varPhi \left( \varvec{x},\varvec{a}\right) \) a formula and \(\varPi (\varvec{a})\) a \(\textsc {wic}_{\varPhi ,\varvec{x}}\). If there exists an interpretation \(\left\{ \mathtt {a}\right\} \) such that \(\left\{ \mathtt {a} \right\} \models \forall \varvec{x}. \varPhi \left( \varvec{x},\varvec{a}\right) \), then \(\left\{ \mathtt {x},\mathtt {a} \right\} \models \varPi \left( \varvec{a}\right) \wedge \varPhi \left( \varvec{x},\varvec{a}\right) \) for any valuation \(\mathtt {x}\) of \(\varvec{x}\).
Proof
(sketch of). Appendix C.2 of the companion technical report.
From now on, our goal is to infer from a formula \(\forall \varvec{x}. \varPhi \left( \varvec{x},\varvec{a}\right) \) a \(\textsc {sic}_{\varPhi ,\varvec{x}}\) \(\varPsi \left( \varvec{a}\right) \), find a model for \(\varPsi \left( \varvec{a}\right) \wedge \varPhi \left( \varvec{x},\varvec{a}\right) \) and generalize it. This \(\textsc {sic}_{\varPhi ,\varvec{x}}\) should be as weak—in the sense “less coercive”—as possible, as otherwise \(\bot \) could always be used, which would not be very interesting for our overall purpose.
For the sake of simplicity, previous definitions omit to mention the theory to which the sic belongs. If the theory \(\mathcal {T}\) of the quantified formula is decidable we can always choose \(\forall \varvec{x}.\forall \varvec{y}. \left( \varPhi \left( \varvec{x},\varvec{a}\right) \Leftrightarrow \varPhi \left( \varvec{y},\varvec{a}\right) \right) \) as a sic, but it is simpler to directly use a \(\mathcal {T}\)solver. The challenge is, for formulas in an undecidable theory \(\mathcal {T}\), to find a nontrivial sic in its quantifierfree fragment QF\(\mathcal {T}\).
Under this constraint, we cannot expect a systematic construction of \(\textsc {wic}\), as it would allow to decide the satisfiability of any quantified theory with a decidable quantifierfree fragment. Yet informally, the closer a sic is to be a wic, the closer our approach is to completeness. Therefore this notion might be seen as a fair gauge of the quality of a \(\textsc {sic}\). Having said that, we leave a deeper study on the inference of wic as future work.
5 Generic Framework for SICBased Model Generation
We describe now our overall approach. Algorithm 1 presents our sicbased generic framework for model generation (Sect. 5.1). Then, Algorithm 2 proposes a taintbased approach for sic inference (Sect. 5.2). Finally, we discuss complexity and efficiency issues (Sect. 5.3) and detail extensions (Sect. 5.4), such as partial elimination.
From now on, we do not distinguish anymore between terms and formulas, their treatment being symmetric, and we call targeted variables the variables we want to be independent of.
5.1 SICBased Model Generation

solveQF is a decision procedure (typically a SMT solver) for QF\(\mathcal {T}\). solveQF is said to be correct if each time it answers sat (resp. unsat) the formula is satisfiable (resp. unsatisfiable); it is said to be complete if it always answers sat or unsat, never unknown.

inferSIC takes as input a formula \(\varPhi \) in QF\(\mathcal {T}\) and a set of targeted variables \(\varvec{x}\), and produces a \(\textsc {sic}_{\varPhi ,\varvec{x}}\) in QF\(\mathcal {T}\). It is said to be correct if it always returns a sic, and complete if all the sic it returns are wic. A possible implementation of inferSIC is described in Algorithm 2 (Sect. 5.2).
Function solveQ enjoys the two following properties, where correctness and completeness are defined as for solveQF.
Theorem 1

If solveQF and inferSIC are correct, then solveQ is correct.

If solveQF and inferSIC are complete, then solveQ is complete.
5.2 TaintBased SIC Inference
Algorithm 2 presents a taintbased implementation of function inferSIC. It consists of a (syntactic) core calculus described here, refined by a (semantic) theorydependent calculus theorySIC described in Sect. 6. From formula \(\varPhi \left( \varvec{x},\varvec{a}\right) \) and targeted variables \(\varvec{x}\), inferSIC is defined recursively as follow.
If \(\varPhi \) is a constant it returns \(\top \) as constants are independent of any variable. If \(\varPhi \) is a variable v, it returns \(\top \) if we may depend on v (i.e., \(v \not \in \varvec{x}\)), \(\bot \) otherwise. If \(\varPhi \) is a function \(f\left( \phi _1, \ldots ,\phi _n\right) \), it first recursively computes for every subterm \(\phi _i\) a \(\textsc {sic}_{\phi _i,\varvec{x}}\) \(\psi _i\). Then these results are sent with \(\varPhi \) to theorySIC which computes a \(\textsc {sic}_{\varPhi ,\varvec{x}}\) \(\varPsi \). The procedure returns the disjunction between \(\varPsi \) and the conjunction of the \(\psi _i\)’s. Note that theorySIC default value \(\bot \) is absorbed by the disjunction.
The intuition is that if the \(\phi _i\)’s are independent of \(\varvec{x}\), then \(f\left( \phi _1, \ldots ,\phi _n\right) \) is. Therefore Algorithm 2 is said to be taintbased as, when theorySIC is left to its default value, it acts as a form of taint tracking [15, 27] inside the formula.
Proposition 3
(Correctness). Given a formula \(\varPhi \left( \varvec{x},\varvec{a}\right) \) and assuming that theorySIC is correct, then \(\texttt {inferSIC}\left( \varPhi ,\varvec{x}\right) \) indeed computes a \(\textsc {sic}_{\varPhi ,\varvec{x}}\).
Proof
(sketch of). This proof has been mechanized in Coq^{1}.
Note that on the other hand, completeness does not hold: in general \(\texttt {inferSIC}\) does not compute a \(\textsc {wic}\), cf. discussion in Sect. 5.4.
5.3 Complexity and Efficiency
We now evaluate the overhead induced by Algorithm 1 in terms of formula size and complexity of the resolution—the running time of Algorithm 1 itself being expected to be negligible (preprocessing).
Definition 5
The size of a term is inductively defined as \(\text {size}\left( x\right) \triangleq 1\) for x a variable, and \(\text {size}\left( f\left( t_1, \ldots ,t_n\right) \right) \triangleq 1+\varSigma _i\,\text {size}\left( t_i\right) \) otherwise. We say that theorySIC is bounded in size if there exists K such that, for all terms \(\varDelta \), \(\text {size} \left( \texttt {theorySIC}\left( \varDelta ,\cdot \right) \right) \le {K}\).
Proposition 4
(Size bound). Let N be the maximal arity of symbols defined by theory \(\mathcal {T}\). If theorySIC is bounded in size by K, then for all formula \(\varPhi \) in \(\mathcal {T}\), \(\text {size}\left( \texttt {inferSIC}\left( \varPhi ,\cdot \right) \right) \le \left( K+N\right) \cdot \text {size}\left( \varPhi \right) \).
Proposition 5
(Complexity bound). Let us suppose theorySIC bounded in size, and let \(\varPhi \) be a formula belonging to a theory \(\mathcal {T}\) with polynomialtime checkable solutions. If \(\varPsi \) is a \(\textsc {sic}_{\varPhi ,\cdot }\) produced by inferSIC, then a solution for \(\varPhi \wedge \varPsi \) is checkable in time polynomial in size of \(\varPhi \).
Proof
(sketch of). Appendices C.3 and C.4 of the companion technical report.
These propositions demonstrate that, for formula landing in complex enough theories, our method lifts QFsolvers to the quantified case (in an approximated way) without any significant overhead, as long as theorySIC is bounded in size. This latter constraint can be achieved by systematically binding subterms to (constantsize) fresh names and having theorySIC manipulates these binders.
5.4 Discussions
Extension. Let us remark that our framework encompasses partial quantifier elimination as long as the remaining quantifiers are handled by solveQF. For example, we may want to remove quantifications over arrays but keep those on bitvectors. In this setting, inferSIC can also allow some level of quantification, providing that solveQF handles them.
About WIC. As already stated, inferSIC does not propagate wic in general. For example, considering formulas \(t_1 \triangleq (x<0)\) and \(t_2 \triangleq (x\ge 0)\), then \(\textsc {wic}_{t_1,x} = \bot \) and \(\textsc {wic}_{t_2,x} = \bot \). Hence inferSIC returns \(\bot \) as sic for \(t_1 \vee t_2\), while actually \(\textsc {wic}_{t_1 \vee t_2,x} = \top \).
Nevertheless, we can already highlight a few cases where wic can be computed. (1) inferSIC does propagate wic on onetoone uninterpreted functions. (2) If no variable of \(\varvec{x}\) appears in any subterm of \(f(t,t')\), then the associated wic is \(\top \). While a priori naive, this case becomes interesting when combined with simplifications (Sect. 7.1) that may eliminate \(\varvec{x}\). (3) If a subterm falls in a subtheory admitting quantifier elimination, then the associated wic is computed by eliminating quantifiers in \((\forall .\varvec{x}.\varvec{y}. \varPhi (\varvec{x},\varvec{a}) \Leftrightarrow \varPhi (\varvec{y},\varvec{a}))\). (4) We may also think of dedicated patterns: regarding bitvectors, the wic for \(x \le a \Rightarrow x \le x+k\) is \(a \le \texttt {Max}k\). Identifying under which condition wic propagation holds is a strong direction for future work.
6 TheoryDependent SIC Refinements
We now present theorydependent sic refinements for theories relevant to program analysis: booleans, fixedsize bitvectors and arrays—recall that uninterpreted functions are already handled by Algorithm 2. We then propose a generalization of these refinements together with a correctness proof for a larger class of operators.
6.1 Refinement on Theories
We recall theorySIC takes four parameters: a function symbol f, its arguments \(\left( t_1, \ldots ,t_n\right) \), their associated sic \(\left( t_1^\bullet , \ldots ,t_n^\bullet \right) \), and targeted variables \(\varvec{x}\). theorySIC patternmatches the function symbol and returns the associated sic according to rules in Fig. 2. If a function symbol is not supported, we return the default value \(\bot \). Constants and variables are handled by inferSIC. For the sake of simplicity, rules in Fig. 2 are defined recursively, but can easily fit the interface required for theorySIC in Algorithm 2 by turning recursive calls into parameters.
Booleans and Ite. Rules for the boolean theory (Fig. 2a) handles \(\Rightarrow \), \(\wedge \), \(\vee \) and \(\text {ite}\) (ifthenelse). For binary operators, the sic is the conjunction of the sic associated to one of the two subterms and a constraint on this subterm that forces the result of the operator to be constant—e.g., to be equal to \(\bot \) (resp. \(\top \)) for the antecedent (resp. consequent) of an implication. These equality constraints are based on absorbing elements of operators.
Bitvectors and Arrays. Rules for bitvectors (Fig. 2b) follow similar ideas, with constant \(\top \) (resp. \(\bot \)) substituted by \(1_n\) (resp. \(0_n\)), the bitvector of size n full of ones (resp. zeros). Rules for arrays (Fig. 2c) are derived from the theory axioms. The definition is recursive: rules need be applied until reaching either a store at the position where the select occurs, or the initial array variable.
As a rule of thumb, good sic can be derived from function axioms in the form of rewriting rules, as done for arrays. Similar constructions can be obtained for example for stacks or queues.
6.2 \(\mathcal {R}\)Absorbing Functions
We propose a generalization of the previous theorydependent sic refinements to a larger class of functions, and prove its correctness.
Intuitively, if a function has an absorbing element, constraining one of its operands to be equal to this element will ensure that the result of the function is independent of the other operands. However, it is not enough when a relation between some elements is needed, such as with \(\left( t[a\leftarrow b]\right) [c]\) where constraint \(a=c\) ensures the independence with regards to t. We thus generalize the notion of absorption to \(\mathcal {R}\)absorption, where \(\mathcal {R}\) is a relation between function arguments.
Definition 6
Let \(f:\tau _1\times \cdots \times \tau _n\rightarrow \tau \) a function. f is \(\mathcal {R}\)absorbing if there exists \(\mathcal {I}_\mathcal {R}\subset \left\{ 1,\cdots ,n\right\} \) and \(\mathcal {R}\) a relation between \(\alpha _i:\tau _i,\,i\in \mathcal {I}_\mathcal {R}\) such that, for all \(b \triangleq \left( b_1,\dots ,b_n\right) \) and \(c\triangleq \left( c_1,\dots ,c_n\right) \in \tau _1\times \dots \times \tau _n\), if \(\mathcal {R}(\left. b\right _{\mathcal {I}_{\mathcal {R}}})\) and \(\left. b\right _{\mathcal {I}_{\mathcal {R}}} = \left. c\right _{\mathcal {I}_{\mathcal {R}}}\) where \(\left. \cdot \right _{\mathcal {I}_{\mathcal {R}}}\) is the projection on \(\mathcal {I}_{\mathcal {R}}\), then \(f(b)=f(c)\).
\(\mathcal {I}_\mathcal {R}\) is called the support of the relation of absorption \(\mathcal {R}\).
For example, \(\left( a,b\right) \mapsto {{a}\vee {b}}\) has two pairs \(\left\langle \mathcal {R},\,\mathcal {I}_\mathcal {R}\right\rangle \) coinciding with the usual notion of absorption, \(\left\langle {a\!=\!\top },\,\left\{ 1_a\right\} \right\rangle \) and \(\left\langle {b\!=\!\top },\,\left\{ 2_b\right\} \right\rangle \). Function \(\left( x,y,z\right) \mapsto {xy+z}\) has among others the pair \(\left\langle {x\!=\!0},\,\left\{ 1_x,3_z\right\} \right\rangle \), while \(\left( a,b,c,t\right) \mapsto \left( t[a \leftarrow b]\right) [c]\) has the pair \(\left\langle {a\!=\!c},\,\left\{ 1_a,3_c\right\} \right\rangle \). We can now state the following proposition:
Proposition 6
Let \(f\left( t_1,\dots ,t_n\right) \) be a \(\mathcal {R}\)absorbing function of support \(\mathcal {I}_\mathcal {R}\), and let \(t_i^\bullet \) be a \(\textsc {sic}_{t_i,\varvec{x}}\) for some \(\varvec{x}\). Then \(\mathcal {R}\left( t_{i\in \mathcal {\mathcal {I}_\mathcal {R}}}\right) \bigwedge _{i\in \mathcal {\mathcal {I}_\mathcal {R}}}t_i^\bullet \) is a \(\textsc {sic}_{f,\varvec{x}}\).
Proof (sketch of)
Appendix C.5 of the companion technical report.
Previous examples (Sect. 6.1) can be recast in term of \(\mathcal {R}\)absorbing function, proving their correctness (cf. companion technical report). Note that regarding our endgoal, we should accept only \(\mathcal {R}\)absorbing functions in QF\(\mathcal {T}\).
7 Experimental Evaluation
This section describes the implementation of our method (Sect. 7.1) for bitvectors and arrays (ABV), together with experimental evaluation (Sect. 7.2).
7.1 Implementation
Our prototype Tfml (Taint engine for ForMuLa)^{2} comprises 7 klocs of OCaml. Given an input formula in the SMTLIB format [5] (ABV theory), Tfml performs several normalizations before adding taint information following Algorithm 1. The process ends with simplifications as taint usually introduces many constant values, and a new SMTLIB formula is output.
Sharing with LetBinding. This stage is crucial as it allows to avoid term duplication in theorySIC (Algorithm 2, Sect. 5.3, and Proposition 4). We introduce new names for relevant subterms in order to easily share them.
Simplifications. We perform constant propagation and rewriting (standard rules, e.g. \(xx \mapsto 0\) or \(x \times 1 \mapsto x\)) on both initial and transformed formulas – equality is soundly approximated by syntactic equality.
Shadow Arrays. We encode taint constraints over arrays through shadow arrays. For each array declared in the formula, we declare a (taint) shadow array. The default value for all cells of the shadow array is the taint of the original array, and for each value stored (resp. read) in the original array, we store (resp. read) the taint of the value in the shadow array. As logical arrays are infinite, we cannot constrain all the values contained in the initial shadow array. Instead, we rely on a common trick in array theory: we constrain only cells corresponding to a relevant read index in the formula.
Iterative Skolemization. While we have supposed along the paper to work on skolemized formulas, we have to be more careful in practice. Indeed, skolemization introduce dependencies between a skolemized variable and all its preceding universally quantified variables, blurring our analysis and likely resulting in considering the whole formula as dependent. Instead, we follow an iterative process: 1. Skolemize the first block of existentially quantified variables; 2. Compute the independence condition for any targeted variable in the first block of universal quantifiers and remove these quantifiers; 3. Repeat. This results in full Skolemization together with the construction of an independence condition, while avoiding many unnecessary dependencies.
7.2 Evaluation
Answers and resolution time (in seconds, include timeout)
CVC4  CVC4\(_{E}\)  Z3  Z3\(_{E}\)  

SMTLIB  #  sat  399  84  242  84  242  261  366  87  366 
unsat  N/A  0  N/A  0  N/A  165  N/A  0  N/A  
unknown  870  1185  1027  1185  1027  843  903  1182  903  
Total time  349  165  194 667  165  196 934  270 150  36 480  192  41 935  
Binsec  #  sat  1042  951  954  951  954  953  1042  953  1042 
unsat  N/A  62  N/A  62  N/A  319  N/A  62  N/A  
unknown  379  408  467  408  467  149  379  406  379  
Total time  1152  64 761  76 811  64 772  77 009  30 235  11 415  135  11 604 
Protocol. The experimental setup below runs on an Intel(R) Xeon(R) E52660 v3 @ 2.60 GHz, 4 GB RAM per process, and a timeout of 1000 s per formula.

Metrics. For RQ1 we compare the number of sat and unknown answers between solvers supporting quantification, with and without our approach. For RQ2, we compare the number of sat and unknown answers between quantifierfree solvers enhanced by our approach and solvers supporting quantification. For RQ3, we measure preprocessing time and formulas size overhead.

Benchmarks. We consider two sets of ABV formulas. First, a set of 1421 formulas from (a modified version of) the symbolic execution tool Binsec [12] representing quantified reachability queries (cf. Sect. 2) over Binsec benchmark programs (security challenges, e.g. crackme or vulnerability finding). The initial (array) memory is quantified so that models depend only on user input. Second, a set of 1269 ABV formulas generated from formulas of the QFABV category of SMTLIB [5] – subcategories brummayerbiere, dwp formulas and klee selected. The generation process consists in universally quantifying some of the initial array variables, mimicking quantified reachability problems.

Competitors. For RQ1, we compete against the two stateoftheart SMT solvers for quantified formulas CVC4 [4] (finite model instantiation [31]) and Z3 [14] (modelbased instantiation [20]). We also consider degraded versions CVC4\(_{E}\) and Z3\(_{E}\) that roughly represent standard Ematching [16]. For RQ2 we use Boolector [10], one of the very best QFABV solvers.
Complementarity of our approach with existing solvers (sat instances)
SMTLIB  CVC4  \(10\)  +168  [252]  \(10\)  +325  [409]  
Z3  \(119\)  +224  [485]  \(86\)  +224  [485]  
Binsec  CVC4  \(25\)  +28  [979]  \(25\)  +116  [1067]  
Z3  \(25\)  +114  [1067]  \(25\)  +114  [1067] 
Table 2 substantiates the complementarity of the different methods, and reads as follow: for SMTLIB, Open image in new window solves 224 (sat) formulas missed by Z3, while Z3 solves 86 (sat) formulas missed by Open image in new window , and 485 (sat) formulas are solved by either one of them.
GRUB example
Z3  

#  sat  540  1 
unsat  N/A  42  
unknown  355  852  
Total time  16 732  159 765 
Best approaches
Former  New  

Z3  Open image in new window \(\triangleright \) Z3  
SMTLIB  sat  261  399  485 
unsat  165  N/A  165  
unknown  843  870  619  
Time  270 150  350  94 610  
Binsec  sat  953  1042  1067 
unsat  319  N/A  319  
unknown  149  379  35  
Time  64 761  1 152  1 169 
Conclusion. Experiments demonstrate the relevance of our taintbased technique for model generation. (RQ1) Results in Table 1 shows that our approach greatly facilitates the resolution process. On these examples, our method performs better than stateoftheart solvers but also strongly complements them (Table 2). (RQ2) Moreover, Table 1 demonstrates that our technique is highly effective at lifting quantifierfree solvers to quantified formulas, in both number of sat answers and computation time. Indeed, once lifted, Boolector performs better (for satonly) than Z3 or CVC4 with full quantifier support. Finally (RQ3) our tainting method itself is very efficient both in time and space, making it perfect either for a preprocessing step or for a deeper integration into a solver. In our current prototype implementation, we consider the cost to be low. The companion technical report contains a few additional experiments on bitvectors and integer arithmetic, including the example from Fig. 1.
8 Related Work
Traditional approaches to solving quantified formulas essentially involve either generic methods geared to proving unsatisfiability and validity [16], or complete but dedicated approaches for particular theories [8, 36]. Besides, some recent methods [20, 22, 31] aim to be correct and complete for larger classes of theories.
Generic Method for Unsatisfiability. Broadly speaking, these methods iteratively instantiate axioms until a contradiction is found. They are generic w.r.t. the underlying theory and allow to reuse standard theory solvers, but termination is not guaranteed. Also, they are more suited to prove unsatisfiability than to find models. In this family, Ematching [13, 16] shows reasonable cost when combined with conflictbased instantiation [30] or semantic triggers [17, 18]. In pure firstorder logic (without theories), quantifiers are mainly handled through resolution and superposition [1, 26] as done in Vampire [24, 33] and E [34].
Complete Methods for Specific Theories. Much work has been done on designing complete decision procedures for quantified theories of interest, notably array properties [8], quantified theory of bitvectors [23, 36], Presburger arithmetic or Real Linear Arithmetic [9, 19]. Yet, they usually come at a high cost.
Generic Methods for Model Generation. Some recent works detail attempts at more general approaches to model generation.
Local theory extensions [2, 22] provide means to extend some decidable theories with free symbols and quantifications, retaining decidability. The approach identifies specific forms of formulas and quantifications (bounded), such that these theory extensions can be solved using finite instantiation of quantifiers together with a decision procedure for the original theory. The main drawback is that the formula size can increase a lot.
Modelbased quantifier instantiation is an active area of research notably developed in Z3 and CVC4. The basic line is to consider the partial model under construction in order to find the right quantifier instantiations, typically in a tryandrefine manner. Depending on the variants, these methods favors either satisfiability or unsatisfiability. They build on the underlying quantifierfree solver and can be mixed with Ematching techniques, yet each refinement yields a solver call and the refinement process may not terminate. Ge and de Moura [20] study decidable fragments of firstorder logic modulo theories for which modelbased quantifier instantiation yields soundness and refutational completeness. Reynolds et al. [30], Barbosa [3] and Preiner et al. [28] use models to guide the instantiation process towards instances refuting the current model. Finite model quantifier instantiation [31, 32] reduces the search to finite models, and is indeed geared toward model generation rather than unsatisfiability. Similar techniques have been used in program synthesis [29].
We drop support for the unsatisfiable case but get more flexibility: we deal with quantifiers on any sort, the approach terminates and is lightweight, in the sense that it requires a single call to the underlying quantifierfree solver.
Other. Our method can be seen as taking inspiration from program taint analysis [15, 27] developed for checking the noninterference [35] of public and secrete input in securitysensitive programs. As far as the analogy goes, our approach should not be seen as checking noninterference, but rather as inferring preconditions of noninterference. Moreover, our formulatainting technique is closer to dynamic programtainting than to static programtainting, in the sense that precise dependency conditions are statically inserted at preprocesstime, then precisely explored at solvingtime.
Finally, Darvas et al. [11] presents a bottomup formula strengthening method. Their goal differ from ours, as they are interested in formula welldefinedness (rather than independence) and validity (rather than model generation).
9 Conclusion
This paper addresses the problem of generating models of quantified firstorder formulas over builtin theories. We propose a correct and generic approach based on a reduction to the quantifierfree case through the inference of independence conditions. The technique is applicable to any theory with a decidable quantifierfree case and allows to reuse all the work done on quantifierfree solvers. The method significantly enhances the performances of stateoftheart SMT solvers for the quantified case, and supplements the latest advances in the field.
Future developments aim to tackle the definition of more precise inference mechanisms of independence conditions, the identification of interesting subclasses for which inferring weakest independence conditions is feasible, and the combination with other quantifier instantiation techniques.
Footnotes
References
 1.Bachmair, L., Ganzinger, H.: Rewritebased equational theorem proving with selection and simplification. J. Log. Comput. 4(3), 217–247 (1994)MathSciNetCrossRefGoogle Scholar
 2.Bansal, K., Reynolds, A., King, T., Barrett, C.W., Wies, T.: Deciding local theory extensions via ematching. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9207, pp. 87–105. Springer, Cham (2015). https://doi.org/10.1007/9783319216683_6CrossRefGoogle Scholar
 3.Barbosa, H.: Efficient instantiation techniques in SMT (work in progress). In: Proceedings of the 5th Workshop on Practical Aspects of Automated Reasoning, Colocated with International Joint Conference on Automated Reasoning (IJCAR 2016), Coimbra, Portugal, 2 July 2016, pp. 1–10 (2016)Google Scholar
 4.Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642221101_14CrossRefGoogle Scholar
 5.Barrett, C., Stump, A., Tinelli, C.: The SMTLIB standard: version 2.0. In: Gupta, A., Kroening, D. (eds.) Proceedings of the 8th International Workshop on Satisfiability Modulo Theories (Edinburgh, UK) (2010)Google Scholar
 6.Barrett, C.W., Sebastiani, R., Seshia, S.A., Tinelli, C.: Satisfiability modulo theories. In: Handbook of Satisfiability, pp. 825–885 (2009)Google Scholar
 7.Biere, A.: Bounded model checking. In: Handbook of Satisfiability, pp. 457–481 (2009)Google Scholar
 8.Bradley, A.R., Manna, Z., Sipma, H.B.: What’s decidable about arrays? In: Emerson, E.A., Namjoshi, K.S. (eds.) VMCAI 2006. LNCS, vol. 3855, pp. 427–442. Springer, Heidelberg (2005). https://doi.org/10.1007/11609773_28CrossRefGoogle Scholar
 9.Brillout, A., Kroening, D., Rümmer, P., Wahl, T.: Beyond quantifierfree interpolation in extensions of presburger arithmetic. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 88–102. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642182754_8CrossRefGoogle Scholar
 10.Brummayer, R., Biere, A.: Boolector: an efficient smt solver for bitvectors and arrays. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 174–177. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642007682_16CrossRefzbMATHGoogle Scholar
 11.Darvas, Á., Mehta, F., Rudich, A.: Efficient welldefinedness checking. In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR 2008. LNCS (LNAI), vol. 5195, pp. 100–115. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540710707_8CrossRefGoogle Scholar
 12.David, R., Bardin, S., Ta, T.D., Mounier, L., Feist, J., Potet, M., Marion, J.: BINSEC/SE: a dynamic symbolic execution toolkit for binarylevel analysis. In: IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering, SANER 2016, Osaka, Japan, 14–18 March 2016, vol. 1, pp. 653–656 (2016)Google Scholar
 13.de Moura, L.M., Bjørner, N.: Efficient ematching for SMT solvers. In: Pfenning, F. (ed.) CADE 2007. LNCS (LNAI), vol. 4603, pp. 183–198. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540735953_13CrossRefGoogle Scholar
 14.de Moura, L.M., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540788003_24CrossRefGoogle Scholar
 15.Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)CrossRefGoogle Scholar
 16.Detlefs, D., Nelson, G., Saxe, J.B.: Simplify: a theorem prover for program checking. J. ACM 52(3), 365–473 (2005)MathSciNetCrossRefGoogle Scholar
 17.Dross, C., Conchon, S., Kanig, J., Paskevich, A.: Reasoning with triggers. In: 10th International Workshop on Satisfiability Modulo Theories, SMT 2012, Manchester, UK, 30 June–1 July 2012, pp. 22–31 (2012)Google Scholar
 18.Dross, C., Conchon, S., Kanig, J., Paskevich, A.: Adding decision procedures to SMT solvers using axioms with triggers. J. Autom. Reason. 56(4), 387–457 (2016)MathSciNetCrossRefGoogle Scholar
 19.Farzan, A., Kincaid, Z.: Linear arithmetic satisfiability via strategy improvement. In: Proceedings of the TwentyFifth International Joint Conference on Artificial Intelligence, IJCAI 2016, New York, NY, USA, 9–15 July 2016, pp. 735–743 (2016)Google Scholar
 20.Ge, Y., de Moura, L.M.: Complete instantiation for quantified formulas in satisfiabiliby modulo theories. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 306–320. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642026584_25CrossRefGoogle Scholar
 21.Godefroid, P., Levin, M.Y., Molnar, D.A.: SAGE: whitebox fuzzing for security testing. ACM Queue 10(1), 20 (2012)CrossRefGoogle Scholar
 22.Ihlemann, C., Jacobs, S., SofronieStokkermans, V.: On local reasoning in verification. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 265–281. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540788003_19CrossRefGoogle Scholar
 23.Jonáš, M., Strejček, J.: Solving quantified bitvector formulas using binary decision diagrams. In: Creignou, N., Le Berre, D. (eds.) SAT 2016. LNCS, vol. 9710, pp. 267–283. Springer, Cham (2016). https://doi.org/10.1007/9783319409702_17CrossRefGoogle Scholar
 24.Kovács, L., Voronkov, A.: Firstorder theorem proving and Vampire. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 1–35. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642397998_1CrossRefGoogle Scholar
 25.Kroening, D., Strichman, O.: Decision Procedures  An Algorithmic Point of View. Texts in Theoretical Computer Science. An EATCS Series. Springer, Heidelberg (2008). https://doi.org/10.1007/9783662504970CrossRefzbMATHGoogle Scholar
 26.Nieuwenhuis, R., Rubio, A.: Paramodulationbased theorem proving. In: Handbook of Automated Reasoning, vol. 2, pp. 371–443 (2001)Google Scholar
 27.Ørbæk, P.: Can you trust your data? In: Mosses, P.D., Nielsen, M., Schwartzbach, M.I. (eds.) CAAP 1995. LNCS, vol. 915, pp. 575–589. Springer, Heidelberg (1995). https://doi.org/10.1007/3540592938_221CrossRefGoogle Scholar
 28.Preiner, M., Niemetz, A., Biere, A.: Counterexampleguided model synthesis. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10205, pp. 264–280. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662545775_15CrossRefzbMATHGoogle Scholar
 29.Reynolds, A., Deters, M., Kuncak, V., Tinelli, C., Barrett, C.: Counterexampleguided quantifier instantiation for synthesis in SMT. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9207, pp. 198–216. Springer, Cham (2015). https://doi.org/10.1007/9783319216683_12CrossRefGoogle Scholar
 30.Reynolds, A., Tinelli, C., de Moura, L.M.: Finding conflicting instances of quantified formulas in SMT. In: Formal Methods in ComputerAided Design, FMCAD 2014, Lausanne, Switzerland, 21–24 October 2014, pp. 195–202 (2014)Google Scholar
 31.Reynolds, A., Tinelli, C., Goel, A., Krstić, S.: Finite model finding in SMT. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 640–655. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642397998_42CrossRefGoogle Scholar
 32.Reynolds, A., et al.: Quantifier instantiation techniques for finite model finding in SMT. In: Bonacina, M.P. (ed.) CADE 2013. LNCS (LNAI), vol. 7898, pp. 377–391. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642385742_26CrossRefGoogle Scholar
 33.Riazanov, A., Voronkov, A.: The design and implementation of VAMPIRE. AI Commun. 15(2–3), 91–110 (2002)zbMATHGoogle Scholar
 34.Schulz, S.: E  a brainiac theorem prover. AI Commun. 15(2–3), 111–126 (2002)zbMATHGoogle Scholar
 35.Smith, G.: Principles of secure information flow analysis. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection. ADIS, vol. 27, pp. 291–307. Springer, Boston (2007). https://doi.org/10.1007/9780387445991_13CrossRefGoogle Scholar
 36.Wintersteiger, C.M., Hamadi, Y., de Moura, L.M.: Efficiently solving quantified bitvector formulas. In: Proceedings of 10th International Conference on Formal Methods in ComputerAided Design, FMCAD 2010, Lugano, Switzerland, 20–23 October, pp. 239–246 (2010)Google Scholar
Copyright information
<SimplePara><Emphasis Type="Bold">Open Access</Emphasis>This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.</SimplePara><SimplePara>The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.</SimplePara>