Model Generation for Quantified Formulas: A Taint-Based Approach

We focus in this paper on generating models of quantified first-order formulas over built-in theories, which is paramount in software verification and bug finding. While standard methods are either geared toward proving the absence of solution or targeted to specific theories, we propose a generic approach based on a reduction to the quantifier-free case. Our technique allows thus to reuse all the efficient machinery developed for that context. Experiments show a substantial improvement over state-of-the-art methods.

identification of subclasses for which inferring weakest independence conditions is feasible, and the combination with other quantifier instantiation techniques.

Motivation
Let us take the code sample in Fig. 1 and suppose we want to reach function analyze_me. For this purpose, we need a model (a.k.a., solution) of the reachability condition φ ax + b > 0, where a, b and x are symbolic variables associated to the program variables a, b and x. However, while the values of a and b are usercontrolled, the value of x is not. Therefore if we want to reach analyze_me in a reproducible manner, we actually need a model of φ ∀ ∀x.ax + b > 0, which involves universal quantification. While this specific formula is simple, model generation for quantified formulas is notoriously difficult: PSPACE-complete for booleans, undecidable for uninterpreted functions or arrays.

Fig. 1: Motivating example
Reduction to the quantifier-free case through independence. We propose to ignore the universal quantification over x, but restrict models to those which do not depend on x. For example, model {a = 1, x = 1, b = 0} does depend on x, as taking x = 0 invalidates the formula, while model {a = 0, x = 1, b = 1} is independent of x. We call constraint ψ (a = 0) an independence condition: any interpretation of φ satisfying ψ will be independent of x, and therefore a model of φ ∧ ψ will give us a model of φ ∀ .
Inference of independence conditions through tainting. Fig. 1 details in its right part a way to infer such independence conditions. Given a quantified reachability condition (1), we first associate to every variable v a (boolean) taint variable v • indicating whether the solution may depend on v (value ⊤) or not (value ⊥). Here, x • is set to ⊥, a • and b • are set to ⊤ (2). An independence condition (3) -a formula modulo theory -is then constructed using both initial and taint variables. We extend taint constraints to terms, t • indicating here whether t may depend on x or not, and we require the top-level term (i.e., the formula) to be tainted to ⊤ (i.e., to be indep. from x). Condition (3) reads as follows: in order to enforce that (ax + b > 0) • holds, we enforce that (ax) • and b • hold, and for (ax) • we require that either a • and x • hold, or a • holds and a = 0 (absorbing the value of x), or the symmetric case. We see that · • is defined recursively and combines a systematic part (if t • holds then f (t) • holds, for any f ) with a theory-dependent part (here, based on ×). After simplifications (4), we obtain a = 0 as an independence condition (5) which is adjoined to the reachability condition freed of its universal quantification (6). A QF-solver provides a model of (6) (e.g., {a = 0, b = 1, x = 5}), lifted into a model of (1) by discarding the valuation of x (e.g., {a = 0, b = 1}). In this specific example the inferred independence condition (5) is the most generic one and (1) and (6) are equisatisfiable. Yet, in general it may be an under-approximation, constraining the variables more than needed and yielding a correct but incomplete decision method: a model of (6) can still be turned into a model of (1), but (6) might not have a model while (1) has.

Notations
We consider the framework of many-sorted first-order logic with equality, and we assume standard definitions of sorts, signatures and terms. Given a tuple of variables x (x 1 , . . . , x n ) and a quantifier Q (∀ or ∃), we shorten with Φ a quantifier-free formula. A formula is in Skolem normal form if it is in prenex normal form with only universal quantifiers. We write Φ (x) to denote that the free variables of Φ are in x. Let t (t 1 , . . . , t n ) be a term tuple, we write Φ (t) for the formula obtained from Φ by replacing each occurrence of x i in Φ by t i . An interpretation I associates a domain to each sort of a signature and a value to each symbol of a formula, and ∆ I denotes the evaluation of term ∆ over I. A satisfiability relation |= between interpretations and formulas is defined inductively as usual. A model of Φ is an interpretation I satisfying I |= Φ. We sometimes refer to models as "solutions". Formula Ψ entails formula Φ, written Ψ |= Φ, if every interpretation satisfying Ψ satisfies Φ as well. Two formula are equivalent, denoted Ψ ≡ Φ, if they have the same models. A theory T (Σ, I) restricts symbols in Σ to be interpreted in I. The quantifier-free fragment of T is denoted QF-T . a, b, a) is always true or always false, for all possible valuations of x as long as a is set to a. More formally, we define the independence of an interpretation of Φ w.r.t. x as follows: Regarding formula ax + b > 0 from Fig. 1,

Independent interpretations, terms and formulas
, with t an array written at index a then read at index c, [2]). We now define independence for formulas and terms. Def. 2 of formula and term independence is far stronger than Def. 1 of interpretation independence. Indeed, it can easily be checked that if a formula Φ (resp. a term ∆) is independent of x, then any interpretation of Φ (resp. ∆) is independent of x. However, the converse is false as formula ax + b > 0 is not independent of x, but has an interpretation {a = 0, b = 1, x = 1} which is.

Independence conditions
Since it is rarely the case that a formula (resp. term) is independent from a set of variables x, we are interested in Sufficient Independence Conditions. These conditions are additional constraints that can be added to a formula (resp. term) in such a way that they make the formula (resp. term) independent of x.
We denote by sic Φ,x (resp. sic ∆,x ) a Sufficient Independence Condition for a formula Φ (x, a) (resp. for a term ∆ (x, a)) with regard to x. For example, a = 0 is a sic Φ,x for formula Φ ax + b > 0, and a = c is a sic ∆,t for term [c]. Note that ⊥ is always a sic, and that sic are closed under ∧ and ∨. Prop. 1 clarifies the interest of sic for model generation. Proof (sketch of). Appendix C.1.
For the sake of completeness, we introduce now the notion of Weakest Independence Condition for a formula Φ (x, a) with regard to x (resp. a term ∆ (x, a)). We will denote such conditions wic Φ,x (resp. wic ∆,x ). a)) is always a wic Φ,x , and any formula Π is a wic Φ,x if and only if Π ≡ Ω. Therefore all syntactically different wic have the same semantics. As an example, both sic a = 0 and a = c presented earlier are wic. Prop. 2 emphasizes the interest of wic for model generation. From now on, our goal is to infer from a formula ∀x.Φ (x, a) a sic Φ,x Ψ (a), find a model for Ψ (a) ∧ Φ (x, a) and generalize it. This sic Φ,x should be as weak -in the sense "less coercive" -as possible, as otherwise ⊥ could always be used, which would not be very interesting for our overall purpose.

Definition 4 (Weakest Independence Condition (WIC)). -A Weakest Independence Condition for a formula
For the sake of simplicity, previous definitions omit to mention the theory to which the sic belongs. If the theory T of the quantified formula is decidable we can always choose ∀x.∀y. (Φ (x, a) ⇔ Φ (y, a)) as a sic, but it is simpler to directly use a T -solver. The challenge is, for formulas in an undecidable theory

Generic framework for SIC-based model generation
We describe now our overall approach. Alg. 1 presents our sic-based generic framework for model generation (Sec. 5.1). Then, Alg. 2 proposes a taint-based approach for sic inference (Sec. 5.2). Finally, we discuss complexity and efficiency issues (Sec. 5.3) and detail extensions (Sec. 5.4), such as partial elimination.
From now on, we do not distinguish anymore between terms and formulas, their treatment being symmetric, and we call targeted variables the variables we want to be independent of. -solveQF is a decision procedure (typically a SMT solver) for QF-T . solveQF is said to be correct if each time it answers sat (resp. unsat) the formula is satisfiable (resp. unsatisfiable); it is said to be complete if it always answers sat or unsat, never unknown. -inferSIC takes as input a formula Φ in QF-T and a set of targeted variables

Algorithm 1: SIC-based model generation for quantified formulas
x, and produces a sic Φ,x in QF-T . It is said to be correct if it always returns a sic, and complete if all the sic it returns are wic. A possible implementation of inferSIC is described in Alg. 2 (Sec. 5.2).
Function solveQ enjoys the two following properties, where correctness and completeness are defined as for solveQF.
-If solveQF and inferSIC are complete, then solveQ is complete.

Taint-based SIC inference
Algorithm 2: Taint-based sic inference Parameter: theorySIC Input: f a function symbol, its parameters φi, x a set of targeted variables and ψi their associated Input: Φ a formula and x a set of targeted variables Alg. 2 presents a taint-based implementation of function inferSIC. It consists in a (syntactic) core calculus described here, refined by a (semantic) theorydependent calculus theorySIC described in Sec. 6. From formula Φ (x, a) and targeted variables x, inferSIC is defined recursively as follow.
If Φ is a constant it returns ⊤ as constants are independent of any variable.
, it first recursively computes for every sub-term φ i a sic φi,x ψ i . Then these results are sent with Φ to theorySIC which computes a sic Φ,x Ψ . The procedure returns the disjunction between Ψ and the conjunction of the ψ i 's. Note that theorySIC default value ⊥ is absorbed by the disjunction.
The intuition is that if the φ i 's are independent of x, then f (φ 1 , . , φ n ) is. Therefore Alg. 2 is said to be taint-based as, when theorySIC is left to its default value, it acts as a form of taint tracking [14,24] inside the formula.

Complexity and efficiency
We now evaluate the overhead induced by Alg. 1 in terms of formula size and complexity of the resolution -the running time of Alg. 1 itself being expected to be negligible (preprocessing).

Definition 5. The size of a term is inductively defined as size (x)
1 for x a variable, and size (f (t 1 , . , t n )) 1 + Σ i size (t i ) otherwise. We say that theorySIC is bounded in size if there exists K such that, for all term ∆, size (theorySIC (∆, ·)) ≤ K.

Proposition 5 (Complexity bound). Let us suppose theorySIC bounded in size, and let Φ be a formula belonging to a theory
Proof (sketch of). Appendices C.3 and C.4 These propositions demonstrate that, for formula landing in complex enough theories, our method lifts QF-solvers to the quantified case (in an approximated way) without any significant overhead, as long as theorySIC is bounded in size. This later constraint can be achieved by systematically binding sub-terms to (constant-size) fresh names and having theorySIC manipulates these binders.

Discussions
Extension. Let us remarks that our framework encompasses partial quantifier elimination as long as the remaining quantifiers are handled by solveQF. For example, we may want to remove quantifications over arrays but keep those on bitvectors. In this setting, inferSIC can also allow some level of quantification, providing that solveQF handles them.
Nevertheless, we can already highlight a few cases where wic can be computed. inferSIC does propagate wic on one-to-one uninterpreted functions. If no variable x is present in a sub-term, then the associated wic is ⊤. While a priori naive, this case becomes interesting when combined with simplifications (Sec. 7.1) that may eliminate x. If a sub-term falls in a sub-theory admitting quantifier elimination, then the associated wic is computed by eliminating quantifiers in (∀.x. y.Φ(x, a) ⇔ Φ(y, a)). We may also think of dedicated patterns: regarding bitvectors, the wic for x ≤ a ∧ x ≤ x + k is a ≤ Max − k. Identifying under which condition wic propagation holds is a strong direction for future work.

Theory-dependent SIC refinements
We now present theory-dependent sic refinements for theories relevant to program analysis: booleans, fixed-size bitvectors and arrays -recall that uninterpreted functions are already handled by Alg. 2. We then propose a generalization of these refinements together with a correctness proof for a larger class of operators.

Refinement on theories
We recall theorySIC takes four parameters: a function symbol f , its arguments (t 1 , . , t n ), their associated sic (t • 1 , . , t • n ), and targeted variables x. theorySIC pattern-matches the function symbol and returns the associated sic according to rules in Fig. 2. If a function symbol is not supported, we return default value ⊥. Constants and variables are handled by inferSIC. For the sake of simplicity, rules in Fig. 2 are defined recursively, but can easily fit the interface required for theorySIC in Alg. 2 by turning recursive calls into parameters.

Booleans and ite.
Rules for the boolean theory (Fig. 2a) handles ⇒, ∧, ∨ and ite (if-then-else). For binary operators, the sic is the conjunction of the sic associated to one of the two sub-terms and a constraint on this sub-term that forces the result of the operator to be constant -e.g., to be equal to ⊥ (resp. ⊤) for the antecedent (resp. consequent) of an implication. These equality constraints are based on absorbing elements of operators.
Inference for the ite operator is more subtle. Intuitively, if its condition is independent of some x, we use it to select the sic x of the sub-term that will be selected by the ite operator. If the condition is dependent of x, then we cannot use it anymore to select a sic x . In this case, we return the conjunction of the sic x of both sub-terms and the constraint that the two sub-terms are equal.
Bitvectors and arrays. Rules for bitvectors (Fig. 2b) follow similar ideas, with constant ⊤ (resp. ⊥) substituted by 1 n (resp. 0 n ), the bitvector of size n full of ones (resp. zeros). Rules for arrays (Fig. 2c) are derived from the theory axioms. The definition is recursive: rules need be applied until reaching either a store at the position where the select occurs, or the initial array variable.
As a rule of thumb, good sic can be derived from function axioms in the form of rewriting rules, as done for arrays. Similar constructions can be obtained for example for stacks or queues.

R-absorbing functions
We propose a generalization of the previous theory-dependent sic refinements to a larger class of functions, and prove its correctness.

Fig. 2: Examples of refinements for theorySIC
Intuitively, if a function has an absorbing element, constraining one of its operands to be equal to this element will ensure that the result of the function is independent of the other operands. However, it is not enough when a relation between some elements is needed, such as with (t[a ← b]) [c] where constraint a = c ensures the independence with regards to t. We thus generalize the notion of absorption to R-absorption, where R is a relation between function arguments. Definition 6. Let f : τ 1 × · · · × τ n → τ a function. f is R-absorbing if there exists I R ⊂ {1, · · · , n} and R a relation between α i : τ i , i ∈ I R such that, for all b (b 1 , . . . , b n ) and c (c 1 , . . . , c n ) ∈ τ 1 × · · · × τ n , if R( b| IR ) and b| IR = c| IR where ·| IR is the projection on I R , then f (b) = f (c).
I R is called the support of the relation of absorption R.
For example, (a, b) → a ∨ b has two pairs R, I R coinciding with the usual notion of absorption, a = ⊤, {1 a } and b = ⊤, {2 b } . Function (x, y, z) → xy + z has among others the pair has the pair a = c, {1 a , 3 c } . We can now state the following proposition:

Implementation
Our prototype Tfml (Taint engine for ForMuLa) comprises 7 klocs of OCaml. Given an input formula in the SMT-LIB format [5] (ABV theory), Tfml performs several normalizations before adding taint information following Alg. 1. The process ends with simplifications as taint usually introduces many constant values, and a new SMT-LIB formula is output.
Sharing with let-binding. This stage is crucial as it allows to avoid term duplication in theorySIC (Alg. 2, Sec. 5.3, and Prop. 4). We introduce new names for relevant sub-terms in order to easily share them.
Simplifications. We perform constant propagation and rewriting (standard rules, e.g. x − x → 0 or x × 1 → x) on both initial and transformed formulasequality is soundly approximated by syntactic equality.

Shadow arrays. We encode taint constraints over arrays through shadow arrays.
For each array declared in the formula, we declare a (taint) shadow array. The default value for all cells of the shadow array is the taint of the original array, and for each value stored (resp. read) in the original array, we store (resp. read) the taint of the value in the shadow array. As logical arrays are infinite, we cannot constraint all the values contained in the initial shadow array. Instead, we rely on a common trick in array theory: we constraint only cells corresponding to a relevant read index in the formula.
Iterative skolemization. While we have supposed along the paper to work on skolemized formulas, we have to be more careful in practice. Indeed, skolemization introduce dependencies between a skolemized variable and all its preceding universally quantified variables, blurring our analysis and likely resulting in considering the whole formula as dependent. Instead, we follow an iterative process: 1. Skolemize the first block of existentially quantified variables; 2. Compute the independence condition for any targeted variable in the first block of universal quantifiers and remove these quantifiers; 3. Repeat. This results in full Skolemization together with the construction of an independence condition, while avoiding many unnecessary dependencies.

Evaluation
Objective. We experimentally evaluate the following research questions: RQ1 How does our approach perform with regard to state-of-the-art approaches for model generation of quantified formulas? RQ2 How effective is it at lifting quantifier-free solvers into (sat-only) quantified solvers? RQ3 How efficient is it in terms of preprocessing time and formula size overhead? We evaluate our method on a set of formulas combining arrays and bitvectors (paramount in software verification), against state-of-the-art solvers for these theories.
Protocol. The experimental setup below runs on an Intel(R) Xeon(R) E5-2660 v3 @ 2.60GHz, 4GB RAM per process, and a timeout of 1000s per formula.
Metrics For RQ1 we compare the number of sat and unknown answers between solvers supporting quantification, with and without our approach. For RQ2 , we compare the number of sat and unknown answers between quantifier-free solvers enhanced by our approach and solvers supporting quantification. For RQ3 , we measure preprocessing time and formulas size overhead. Benchmarks We consider two sets of ABV formulas. First, a set of 1421 formulas from (a modified version of) the symbolic execution tool Binsec [11] representing quantified reachability queries (cf. Sec. 2) over Binsec benchmark programs (security challenges, e.g. crackme or vulnerability finding). The initial (array) memory is quantified so that models depend only on user input. Second, a set of 1269 ABV formulas generated from formulas of the QF-ABV category of SMT-LIB [5] -sub-categories brummayerbiere, dwp formulas and klee selected. The generation process consists in universally quantifying some of the initial array variables, mimicking quantified reachability problems. Competitors For RQ1 , we compete against the two state-of-the-art SMT solvers for quantified formulas CVC4 [4] (finite model instantiation [27]) and Z3 [13] (mode-based instantiation [18]). We also consider degraded versions CVC4 E and Z3 E that roughly represent standard E-matching [15]. For RQ2 we use Boolector [10], one of the very best QF-ABV solvers. Results. Tables 1 and 2 and Fig. 3 sum up our experimental results, which have all been cross-checked for consistency. Table 1 reports the number of successes (sat or unsat) and failures (unknown), plus total solving times (average time in Appendix D). The • sign indicates formulas preprocessed with our approach. In that case it is impossible to correctly answer unsat (no wic checking), the unsat line is thus N/A. Since Boolector do not support quantified ABV formulas, we only give results with our approach enabled. Table 1 reads as follow: of the 1269 SMT-LIB formulas, standalone Z3 solves 426 formulas (261 sat, 165 unsat), and 366 (all sat) if preprocessed. Interestingly, our approach always improves the underlying solver in terms of solved (sat) instances, either in a significant way (SMT-LIB) or in a modest way (Binsec). Yet, recall that in a software verification setting every win matters (possibly new bug found or new assertion proved). For Z3•, it also strongly reduces computation time. Last but not least, Boolector• (a pure QF-solver) turns out to have the best performance on satinstances, beating state-of-the-art approaches both in terms of solved instances and computation time. Table 2 substantiates the complementarity of the different methods, and reads as follow: for SMT-LIB, Boolector• solves 224 (sat) formulas missed by Z3, while Z3 solves 86 (sat) formulas missed by Boolector•, and 485 (sat) formulas are solved by either one of them. Fig. 3 shows formula size averaging a 9-fold increase (min 3, max 12): yet they are easier to solve because more constrained. Regarding performance and overhead of the tainting process, taint time is almost always less than 1s in our experiments (not shown here), 4min for worst case, clearly dominated by resolution time. The worst case is due to a pass of linearithmic complexity which can be optimized to be logarithmic. Pearls. We show hereafter two particular applications of our method. Table 3 reports results of another symbolic execution experiment, on the grub example. On this example, Boolector• completely outperforms existing approaches. As a second application, while the main drawback of our method is that it precludes proving unsat, this is easily mitigated by complementing the approach with another one geared at (or able to) proving unsat, yielding efficient solvers for quantified formulas, as shown in Table 4.

Conclusion.
Experiments demonstrate the relevance of our taint-based technique for model generation. (RQ1 ) Results in Table 1 shows that our approach greatly facilitates the resolution process. On these examples, our method performs better than state-of-the-art solvers but also strongly complements them ( Table 2). (RQ2 ) Moreover, Table 1 demonstrates that our technique is highly effective at lifting quantifier-free solvers to quantified formulas, in both number of sat answers and computation time. Indeed, once lifted, Boolector perform better (for sat-only) than Z3 or CVC4 with full quantifier support. Finally (RQ3 ) our tainting method itself is very efficient both in time and space, making it perfect either for a preprocessing step or for a deeper integration into a solver. In our current prototype implementation, we consider the cost to be low.

Related work
Traditional approaches to solving quantified formulas essentially involve either generic methods geared at proving unsatisfiability and validity [15], or complete but dedicated approaches for particular theories [8,32]. Besides, some recent methods [20,18,27] aim to be correct and complete for larger classes of theories.
Generic method for unsatisfiability. Broadly speaking, these methods iteratively instantiate axioms until a contradiction is found. They are generic w.r.t. the underlying theory and allow to reuse standard theory solvers, but termination is not guaranteed. Also, they are more suited to prove unsatisfiability than to find models. In this family, E-matching [15,12] shows reasonable cost when combined with conflict-based instantiation [26] or semantic triggers [16,17]. In pure first-order logic (without theories), quantifiers are mainly handled through resolution and superposition [1,23] as done in Vampire [29,21] and E [30].
Complete methods for specific theories. Much work has been done on designing complete decision procedures for quantified theories of interest, notably array properties [8], quantified theory of bitvectors [32], Presburger arithmetic or Real Linear Arithmetic [9]. Yet, They usually come at a high cost.
Generic methods for model generation. Some recent works detail attempts at more general approaches to model generation.
Local theory extensions [20,2] provide means to extend some decidable theories with free symbols and quantifications, retaining decidability. The approach identifies specific forms of formulas and quantifications (bounded), such that these theory extensions can be solved using finite instantiation of quantifiers together with a decision procedure for the original theory. The main drawback is that the formula size can highly increase.
Model-based quantifier instantiation is an active area of research notably developed in Z3 and CVC4. The basic line is to consider the partial model under construction in order to find the right quantifier instantiations, typically in a try-and-refine manner. Depending on the variants, these methods favors either satisfiability or unsatisfiability. They build on the underlying quantifier-free solver and can be mixed with E-matching techniques, yet each refinement yields a solver call and the refinement process may not terminate. Ge and de Moura [18] study decidable fragments of first-order logic modulo theories for which modelbased quantifier instantiation yields soundness and refutational completeness. Reynolds et al. [26], in CVC4, and Barbosa [3], in veriT, use models to guide the instantiation process towards instances refuting the current model. Finite model quantifier instantiation [27,28] reduces the search to finite models, and is indeed geared toward model generation rather than unsatisfiability. Similar techniques have been used in program synthesis [25].
We drop support for the unsatisfiable case but get more flexibility: we deal with quantifiers on any sort, the approach terminates and is lightweight, in the sense that it requires a single call to the underlying quantifier-free solver.
Tainting and non-interference. Our method can be seen as taking inspiration from program taint analysis [14,24] developed for checking the non-interference [31] of public and secrete input in security-sensitive programs. As far as the analogy goes, our approach should not be seen as checking non-interference, but rather as inferring preconditions of non-interference. Moreover, our formulatainting technique is closer to dynamic program-tainting than to static programtainting, in the sense that precise dependency conditions are statically inserted at preprocess-time, then precisely explored at solving-time.

Conclusion
This paper addresses the problem of generating models of quantified first-order formulas over built-in theories. We propose a correct and generic approach based on a reduction to the quantifier-free case through the inference of independence conditions. The technique is applicable to any theory with a decidable quantifierfree case and allows to reuse all the work done on quantifier-free solvers. The method significantly enhances the performances of state-of-the-art SMT solvers for the quantified case, and supplements the latest advances in the field.
Future developments aim to tackle the definition of more precise inference mechanisms of independence conditions, the identification of interesting subclasses for which inferring weakest independence conditions is feasible, and the combination with other quantifier instantiation techniques.

C.3 Size bound (Prop. 4)
Let N be the maximal arity of symbols defined by theory T . If theorySIC is bounded in size by K, then for all formula Φ in T , size (inferSIC (Φ, ·)) ≤ (K + N ) · size (Φ).

C.4 Complexity bound (Prop. 5)
Let us suppose theorySIC bounded in size, and let Φ be a formula belonging to a theory T with polynomial-time checkable solutions. If Ψ is a sic Φ,· produced by inferSIC, then a solution for Φ ∧ Ψ is checkable in time polynomial in size of Φ.