Lecture 6: SMT: Quantifiers and DPLL(T)

Week 6 | May 4 – May 10

Tonight ForAll moves to the foreground. When you don't have the source for a function, the spec is what you reason from in its place. A spec that holds for every input is a ForAll axiom. Two questions tonight. How does Z3 reason about these axioms? How does DPLL(T) handle the boolean structure (the ANDs and ORs) wrapping the theory atoms inside? Practice runs ForAll on a queue library you don't have source for. Theory builds DPLL(T). Studio is the third reading discussion, on the limits of formal methods. Next week we move up to Rosette.

What We Cover

Practice opens with a queue library you don't have source for and a one-line cycle wrapper. Z3 verifies the basic invariants and a deeper algebraic property by walking the spec axioms via E-matching. Drop the spec entirely and Z3 picks any model that fits the constraint. Import the wrong spec, a stack instead of a queue, and Z3 proves a theorem about a system that is not yours. The page closes at the cliff: three near-identical axioms (two time out, one returns a model), and a single trigger annotation that flips a formula from microsecond unsat to unknown.

Theory builds DPLL(T), the algorithm that connects CDCL to the theory layer. The offline version hands a complete propositional model to the theory solver and learns a conflict clause when the theory rejects it. Interleaving the theory solver into BCP, online DPLL(T) prunes partial assignments early. The third version, Delayed Theory Combination, opens up Nelson-Oppen so cross-theory equality propagation runs through CDCL's main loop. Z3 and CVC5 use DTC, not textbook Nelson-Oppen.

Studio is the small-group discussion for Reading Reflection 3, on the limits of formal methods. Wayne locates the bottleneck in economics and culture. For Hughes, it's the cost gap between random testing and exhaustive checking. Zhou points to the solver itself: irrelevant edits to a verification query change the outcome. The first two readings assume the solver works as advertised. Zhou says it doesn't. Groups argue about which limit matters most, post a takeaway, and report out.