Lecture 5: SMT: Foundations

Week 5 | Apr 27 – May 3

Real verification problems span multiple theories at once: a heap routine touches arrays, integer indices, and uninterpreted helpers all in one formula. Today we make cooperation precise. First-order logic gives the language for what theory solvers know; Nelson-Oppen gives the protocol they use to talk. Practice motivates with three escalating demos, Theory makes the protocol formal and works through both the convex and non-convex cases, and Studio is hands-on practice on the FOL evaluator and small mixed-theory queries.

What We Cover

Practice opens with two implementations of in-place swap on an array, equivalent on plain variables but with a real bug when indices alias. Two theories cooperated to find it: array reasoning to compare the final arrays, integer reasoning to produce the aliasing witness. Then a small formula sharpens the point: each side satisfiable on its own, the combination unsatisfiable, with a hidden disjunction sitting between them. The third demo runs through Bradley and Manna's worked example live, three notes passing back and forth between the linear-real reasoner and the equality reasoner, each verified by Z3 acting as oracle on the side.

Theory opens the protocol. First-order logic gives us structures and the precise theory-solver contract that L03 hand-waved. Nelson-Oppen needs three restrictions on the theories it combines, and the third one (stably infinite) is honestly metagame: a fix to a hole in the original 1979 paper. Purification is structurally identical to Tseitin from Week 1, just with cross-theory subterms instead of subformulas. Equality propagation is the loop that closes the cooperation. Convex theories propagate single equalities and are clean; non-convex theories like the integers force a case split, which is exactly what Practice's middle formula needed. Theory closes by paying off the worked example and naming what is left for L06.

Studio is the only practice studio of the SMT block (next week's Studio is the R3 reading discussion). Type the FOL evaluator from Theory's worked example, predict SAT or UNSAT on three mixed-theory Z3 queries, then construct your own cooperation-gap formula from scratch, with a midway class-wide sync to surface the question on top of your stack. Stretch: foreshadow L06 with a small ForAll axiom and a negated-instance check.