0

Currently, I have a somewhat superficial understanding of how SMT solvers work (the basics of algorithms like E-matching, MBQI, and CVC4/5's inductive reasoning). However, it's very frustrating to debug by trial-and-error.

Is there any guidance on how to debug SMT scripts that make heavy use of quantifiers?

  1. A badly-written script often goes into infinite loop but I cannot tell if it's my mistake, or it's just taking too long to respond.
  2. The SMT solvers tend to hide internals from users, so it's quite hard to figure out why it's stuck. Is there any way to print the "solving context"?

Or maybe I'm using SMT solvers the wrong way? I should design my own verification algorithm, only employing SMT solvers for local decisions?

Any help is appreciated!

Mike Manilone
  • 582
  • 4
  • 17

1 Answers1

2

This is a very subjective question, and largely opinion based. But a couple of general remarks:

  • Don't directly program in SMTLib. It is not meant to be for human-consumption. Instead, use a higher-level API, and script them from a language that you're more familiar with. There are bindings available from any number of languages, including C/C++/Java/Python/O'Caml/Haskell/Scala etc. Just doing this will get rid of most of the mundane mistakes you make.

  • Turn on verbosity output of the solver. You might be able to notice patterns in the log output. Unfortunately this is very solver specific, and can be hard to decipher; but can also indicate if, for instance, you're stuck in an e-matching loop in the presence of quantifiers.

  • If there's a custom algorithm for your verification problem (Hoare triples, separation logic, abstract interpretation, ...), then you first have to apply these techniques and delegate local/sub-lemmas to an SMT solver. Do not expect the SMT solver to be able to do large proofs, and anything that requires actual induction out-of-the box.

  • Try reducing complexity by putting in over-constraints and see which ones help. Based on your findings you might be able to do a case-split, for instance, if the over-constraints enumerate a reasonably small search-space.

Again, these are very general remarks and whether they'll apply for your specific problem is anyone's guess. But I'd start with coding in a higher-level API if you aren't already doing so.

alias
  • 28,120
  • 2
  • 23
  • 40
  • 3
    If you suspect matching loops or other undesirable instantiation patterns, it may be helpful to take a look at the axiom profiler; the one from the Viper project is, I believe, the latest version: https://github.com/viperproject/axiom-profiler – Christoph Wintersteiger Oct 14 '21 at 17:27