Presentation is loading. Please wait.

Presentation is loading. Please wait.

Checking Validity of Quantifier-Free Formulas in Combinations of First-Order Theories Clark W. Barrett Ph.D. Dissertation Defense Department of Computer.

Published byJerome Boner Modified over 10 years ago

Similar presentations

Presentation on theme: "Checking Validity of Quantifier-Free Formulas in Combinations of First-Order Theories Clark W. Barrett Ph.D. Dissertation Defense Department of Computer."— Presentation transcript:

1 Checking Validity of Quantifier-Free Formulas in Combinations of First-Order Theories Clark W. Barrett Ph.D. Dissertation Defense Department of Computer Science Stanford University August 2001

2 The Problem: First-Order Logic l First-Order Logic is a mathematical system for making precise statements. l Statements in first-order logic are made up of the following pieces: Variables x, y Constants 0, John, Functions f ( x ), x + y Predicates p ( x ), x > y, x = y Boolean connectives,,, Quantifiers, l Example: Every rectangle is a square x. ( Rectangle ( x ) Square ( x ))

3 The Problem: First-Order Theories l A first-order theory is a set of first-order statements about a related set of constants, functions, and predicates. A theory of arithmetic might include the following statements about 0 and + : x. ( x + 0 = x ) x,y. ( x + y = y + x )

4 The Problem: Validity l An expression is valid if every possible way of interpreting it results in a true statement. x = x p ( x ) x = y f ( x ) = f ( y ) f ( x ) = f ( y ) x = y Valid Invalid l An expression is valid in a theory if every possible way of interpreting it in that theory results in a true statement. x 0 l An expression is valid in a theory if every possible way of interpreting it in that theory results in a true statement. x 0 Invalid in the theory of real arithmetic l An expression is valid in a theory if every possible way of interpreting it in that theory results in a true statement. x 0 Valid in positive real arithmetic

5 The Problem: Validity Checking Suppose T is a first-order theory and is a first-order formula We write T = as an abbreviation for is valid in T A classical result in Computer Science states that in general, the question of whether T = is undecidable. It is impossible to write a program that can always figure out whether T = However, given appropriate restrictions on T and, a program can automatically decide T = We consider theories T such that T = is decidable when is quantifier-free.

6 Motivation l Many interesting and practical problems can be solved by checking the validity of a formula in some theory. l As evidence of this claim, consider the following widely- used tools tools which include decision procedures for checking validity u PVS [Owre et al. 92] u STeP [Manna et al. 96, Bjørner 99] u ESC [Detlefs et al. 98] u Mona [Klarlund and Møller 98] u SVC [Barrett et al. 96]

7 The SVC Story l Roots in processor verification u [Burch and Dill 94] u [Jones et al. 95] l Internal use at Stanford u Symbolic simulation [Su et al. 98] u Software specification checking [Park et al. 98] u Infinite-state model checking [Das and Dill 01] l External use since public release in 1998 u Model Checking [Boppana et al. 99] u Theorem prover proof assistance [Heilmann 99] u Integration into programming languages [Day et al. 99] u Many others

8 The SVC Story l Despite its success, SVC has many limitations u Gaps in theoretical understanding u Outgrown its original software architecture u Unnecessarily slow performance in some cases l This thesis is the result of ongoing efforts to address these limitations. u New contributions to underlying theory u A flexible and efficient implementation u Techniques for faster and more robust performance

9 Outline l Validity Checking Overview u The Problem u Motivation u The SVC Story u Top-Level Algorithm l Methods for Combining Theories l Implementation l Adapting Techniques from Propositional Satisfiability l Contributions and Conclusions

10 Top-Level Algorithm l Consider the following formula in the theory of arithmetic x > y y > x x = y l Step 1: Choose an atomic formula l Step 2: Consider two cases: Replace the atomic formula with true Replace the atomic formula is with false l Step 3: Simplify true y > x x = yfalse y > x x = y true y > x x = y

11 Top-Level Algorithm l Consider the following formula in the theory of arithmetic x > y y > x x = y true y > x x = yfalse y > x x = y true y > x x = y true x = y true false x y y x x y This formula is unsatisfiable

12 Validity Checking Overview l A literal is an atomic formula or its negation The validity checker is built on top of a core decision procedure for satisfiability in T of a set of literals. l The method for checking satisfiability will vary greatly depending on the theory in question l The most powerful technique for producing a satisfiability procedure is by combining other satisfiability procedures

13 Outline l Validity Checking Overview l Methods for Combining Theories u The Problem u Shostaks Method u The Nelson-Oppen Method u A Combined Method l Implementation l Adapting Techniques from Propositional Satisfiability l Contributions and Conclusions

14 The Problem l Consider the following theories: Real linear arithmetic: +, -,0,1,…, Arrays: s [ i ], update ( s, i, v ) Uninterpreted functions and predicates: f ( x ), p ( x ),… l And the following set of literals in the combined theory: p ( y ) s = update ( t, i, 0 ) x - y - z = 0 z + s [ i ] = f ( x - y ) p ( x - f ( f ( z ) ) ) l Consider the following theories: Real linear arithmetic: +, -,0,1,…, Arrays: s [ i ], update ( s, i, v ) Uninterpreted functions and predicates: f ( x ), p ( x ),… l And the following set of literals in the combined theory: p ( y ) s = update ( t, i, 0 ) x - y - z = 0 z + s [ i ] = f ( x - y ) p ( x - f ( f ( z ) ) ) l Consider the following theories: Real linear arithmetic: +, -,0,1,…, Arrays: s [ i ], update ( s, i, v ) Uninterpreted functions and predicates: f ( x ), p ( x ),… l And the following set of literals in the combined theory: p ( y ) s = update ( t, i, 0 ) x - y - z = 0 z + s [ i ] = f ( x - y ) p ( x - f ( f ( z ) ) ) l Consider the following theories: Real linear arithmetic: +, -,0,1,…, Arrays: s [ i ], update ( s, i, v ) Uninterpreted functions and predicates: f ( x ), p ( x ),… l And the following set of literals in the combined theory: p ( y ) s = update ( t, i, 0 ) x - y - z = 0 z + s [ i ] = f ( x - y ) p ( x - f ( f ( z ) ) ) l Consider the following theories: Real linear arithmetic: +, -,0,1,…, Arrays: s [ i ], update ( s, i, v ) Uninterpreted functions and predicates: f ( x ), p ( x ),… l And the following set of literals in the combined theory: p ( y ) s = update ( t, i, 0 ) x - y - z = 0 z + s [ i ] = f ( x - y ) p ( x - f ( f ( z ) ) ) l Question: Given a method to decide satisfiability of literals in each theory, how do we decide the satisfiability of literals in the combined theory? l Two main approaches, each with advantages and disadvantages u Shostak [Shostak 84] u Nelson-Oppen [Nelson and Oppen 79]

15 Shostaks Method l Has formed an ongoing strand of research u Originally published in 1984 [Shostak 84] u Several clarifying papers since then u [Cyrluk et al. 96] u [Ruess and Shankar 01] l Used in several automated deduction systems u PVS, STeP, SVC l Unfortunately, remains difficult to understand u Details are nonintuitive u Simple proof of correctness has been especially elusive l Contribution : A new presentation of a key subset of Shostaks original algorithm.

16 Shostaks Method: Canonizer l There are two main components in a Shostak satisfiability procedure: the canonizer and the solver. l The canonizer rewrites terms into a unique form T = a = b canon ( a ) = canon ( b ) l Example: canonizer for linear arithmetic u Combines like terms canon ( x + x ) = 2 x u Imposes an ordering on the variables canon ( y + x ) = x + y

17 Shostaks Method: Solver A set of equations E is said to be in solved form if the left- hand side of each equation is a variable which appears only once in E in solved formnot in solved form x = y + zx = y + z w = z - aw = z + x v = 3 y + b 2 v = 3 y + b S means replace each left-hand side variable occurring in S with its corresponding right-hand side E ( w + x + y + z ) = z - a + y + z + y + z

18 Shostaks Method: Solver l The solver transforms an equation into an equisatisfiable set of equations in solved form If T = a b, then solve ( a = b ) = { false } u Otherwise: solve ( a = b ) = a set of equations E in solved form T = ( a = b x. E ) x is a set of fresh variables appearing in E, but not in a or b. l Example: solver for real linear arithmetic solve ( x - y - z = 0 ) = { x = y + z } solve ( x + 1 = x - 1 ) = { false }

19 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form u Use a generalization of Gaussian elimination with back substitution

20 Choose matrix row The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E - x - 3 y + 2 z = - 1 x - y - 6 z = 1 2 x + y - 10 z = 3 E

21 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E - x - 3 y + 2 z = - 1 x - y - 6 z = 1 2 x + y - 10 z = 3 E Apply previous rows Choose matrix row

22 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E x = - 3 y + 2 z + 1 x - y - 6 z = 1 2 x + y - 10 z = 3 E Apply previous rows Make pivot 1 Choose matrix row Apply to previous rows

23 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E x - y - 6 z = 1 2 x + y - 10 z = 3 E Apply previous rows Make pivot 1 Choose matrix row Apply to previous rows x = - 3 y + 2 z + 1

24 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E - 3 y + 2 z + 1 - y - 6 z = 1 2 x + y - 10 z = 3 E Apply previous rows Make pivot 1 Choose matrix row Apply to previous rows x = - 3 y + 2 z + 1

25 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E y = - z 2 x + y - 10 z = 3 E Apply previous rows Make pivot 1 Choose matrix row Apply to previous rows x = - 3 y + 2 z + 1

26 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E y = - z 2 x + y - 10 z = 3 E Apply previous rows Make pivot 1 Choose matrix row Apply to previous rows x = - 3( - z ) + 2 z + 1

27 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E 2 x + y - 10 z = 3 E Apply previous rows Make pivot 1 Choose matrix row Apply to previous rows x = 5 z + 1 y = - z

28 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E 2(5 z + 1) + ( - z ) - 10 z = 3 E Apply previous rows Make pivot 1 Choose matrix row Apply to previous rows x = 5 z + 1 y = - z

29 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E z = - 1 E Apply previous rows Make pivot 1 Choose matrix row Apply to previous rows x = 5 z + 1 y = - z

30 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E z = - 1 E Apply previous rows Make pivot 1 Choose matrix row Apply to previous rows x = 5( - 1) + 1 y = - ( - 1)

31 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form Select an equation from Apply E as a substitution to Solve to get E Apply E as a substitution to E Add E to E E Apply previous rows Make pivot 1 Choose matrix row Apply to previous rows x = - 4 y = 1 z = - 1

32 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form u Step 2: Use this set of equations together with the canonizer to check if any disequality is violated For each a b Check if canon ( E ( a ) ) = canon ( E ( b ) ) E x = - 4 y = 1 z = - 1 2 y - 10 x 6( z - 2 x ) 2(1)-10(-4) 6(-1-2(-4)) 42 42

33 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form u Step 2: Use this set of equations together with the canonizer to check if any disequality is violated For each a b Check if canon ( E ( a ) ) = canon ( E ( b ) ) E x = 5 z + 1 y = - z 1 - 4 y x - z 1 - 4( - z ) (5 z + 1) - z 4 z + 1

34 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form u Step 2: Use this set of equations together with the canonizer to check if any disequality is violated For each a b Check if canon ( E ( a ) ) = canon ( E ( b ) ) l Technical detail: u If there is more than one disequality, the theory must be convex

35 Shostaks Method: Combining Theories l In what sense is this algorithm a method for combining theories? Two Shostak theories T 1 and T 2 can often be combined to form a new Shostak theory T = T 2 T 2 Compose canonizers: canon = canon 1 o canon 2 u Often, solvers can also be combined u Treat terms from other theory as variables u Repeatedly apply solvers from each theory until resulting set of equations is in solved form

36 Shostaks Method: Contributions l Shostaks original algorithm is much more complicated because it includes a decision procedure for the theory of pure equality with uninterpreted functions l Why is the simplified version a contribution? u Can be applied directly to produce decision procedures, even combinations of decision procedures u Much easier to understand and prove correct u Provides intuition for understanding the original algorithm u Provides the foundation for a generalization of the original Shostak method based on a variation of Nelson-Oppen

37 Nelson-Oppen l Developed for the Stanford Pascal Verifier u [Nelson and Oppen 79] u [Nelson 80, Oppen 80] l Tinelli and Harandi discovered a new (simpler) proof and an important optimization u [Tinelli and Harandi 96] l Used in real systems u ESC u EHDM [von Henke et al. 88] u Vampyre [ http://www-cad.eecs.berkeley.edu/~rupak/Vampyre ]

38 Nelson-Oppen l Unlike Shostak, Nelson-Oppen does not impose a specific strategy on individual theories u Instead of a solver and canonizer, u Each theory provides a complete satisfiability procedure u Technical detail: Each theory must be stably infinite l There are two phases in the version of Nelson-Oppen presented by Tinelli and Harandi u Purification phase u Check phase

39 Nelson-Oppen: Purification Phase l Transform a set of literals in a combined theory to an equisatisfiable set of literals such that each literal is pure : u A pure literal contains symbols from only a single theory l Consider again the following set of literals in a combined theory of arithmetic, arrays, and uninterpreted functions p ( y ) s = update ( t, i, 0 ) x - y - z = 0 z + s [ i ] = f ( x - y ) p ( x - f ( f ( z ) ) ) j = 0

40 Nelson-Oppen: Purification Phase l Transform a set of literals in a combined theory to an equisatisfiable set of literals such that each literal is pure : u A pure literal contains symbols from only a single theory l Consider again the following set of literals in a combined theory of arithmetic, arrays, and uninterpreted functions p ( y ) s = update ( t, i, j ) x - y - z = j z + s [ i ] = f ( x - y ) p ( x - f ( f ( z ) ) ) j = 0 k = s [ i ]

41 Nelson-Oppen: Purification Phase l Transform a set of literals in a combined theory to an equisatisfiable set of literals such that each literal is pure : u A pure literal contains symbols from only a single theory l Consider again the following set of literals in a combined theory of arithmetic, arrays, and uninterpreted functions p ( y ) s = update ( t, i, j ) x - y - z = j z + k = f ( x - y ) p ( x - f ( f ( z ) ) ) j = 0 k = s [ i ] j = 0 k = s [ i ] l = x - y m = z + k

42 Nelson-Oppen: Purification Phase l Transform a set of literals in a combined theory to an equisatisfiable set of literals such that each literal is pure : u A pure literal contains symbols from only a single theory l Consider again the following set of literals in a combined theory of arithmetic, arrays, and uninterpreted functions p ( y ) s = update ( t, i, j ) l - z = j m = f ( l ) p ( x - f ( f ( z ) ) ) j = 0 k = s [ i ] l = x - y m = z + k

43 Nelson-Oppen: Purification Phase l Transform a set of literals in a combined theory to an equisatisfiable set of literals such that each literal is pure : u A pure literal contains symbols from only a single theory l Consider again the following set of literals in a combined theory of arithmetic, arrays, and uninterpreted functions j = 0 k = s [ i ] l = x - y m = z + k n = f ( f ( z ) ) ) v = x - n p ( y ) s = update ( t, i, j ) l - z = j m = f ( l ) p ( v )

44 Nelson-Oppen: Purification Phase l Transform a set of literals in a combined theory to an equisatisfiable set of literals such that each literal is pure : u A pure literal contains symbols from only a single theory l Consider again the following set of literals in a combined theory of arithmetic, arrays, and uninterpreted functions s = update ( t, i, j ) k = s [ i ] p ( y ) m = f ( l ) p ( v ) n = f ( f ( z ) ) ) l - z = j j = 0 l = x - y m = z + k v = x - n

45 Nelson-Oppen: Check Phase Definitions l Shared variables are variables that appear in literals from more than one theory Shared: l, z, j, y, m, k, v, n Unshared: x, s, t, i s = update ( t, i, j ) k = s [ i ] p ( y ) m = f ( l ) p ( v ) n = f ( f ( z ) ) ) l - z = j j = 0 l = x - y m = z + k v = x - n l An arrangement of a set is a set of equalities that partitions the set into equivalence classes Suppose S = { a, b, c } Some arrangements of S u { a b, a c, b c }{ { a }, { b }, { c } } { a = b, a c, b c }{ { a, b }, { c } } { a = b, a = c, b = c }{ { a, b, c } }

46 Nelson-Oppen: Check Phase Choose an arrangement A of the shared variables For each theory, check if the set of literals pure in that theory together with the arrangement A is satisfiable l If an arrangement exists that is compatible with each set of literals, then the original set of literals is satisfiable in the combined theory Arrays s = update ( t, i, j ) k = s [ i ] Uninterpreted p ( y ) m = f ( l ) p ( v ) n = f ( f ( z ) ) ) Arithmetic l - z = j j = 0 l = x - y m = z + k v = x - n A ( l, z, j, y, m, k, v, n )

47 Nelson-Oppen: A Variation l Contribution : A Variation of Nelson-Oppen u The purification phase can be eliminated u Instead, simply partition the formulas according to the outer-most symbol p ( y ) s = update ( t, i, 0 ) x - y - z = 0 z + s [ i ] = f ( x - y ) p ( x - f ( f ( z ) ) ) Arithmetic x - y - z = 0 z + s [ i ] = f ( x - y ) Arrays s = update ( t, i, 0 ) Uninterpreted p ( y ) p ( x - f ( f ( z ) ) )

48 Nelson-Oppen: A Variation l Contribution : A Variation of Nelson-Oppen u The purification phase can be eliminated u Instead, simply partition the formulas according to the outer-most symbol Choose an arrangement A of the shared terms which appear in a term or formula belonging to another theory u For each theory, check if the set of literals assigned to that theory together with the arrangement is satisfiable u Terms with foreign symbols are treated as variables Arithmetic x - y - z = 0 z + s [ i ] = f ( x - y ) Arrays s = update ( t, i, 0 ) Uninterpreted p ( y ) p ( x - f ( f ( z ) ) ) A ( s [ i ], x - y, f ( x - y ), 0, y, z, f ( f ( z ) ), x - f ( f ( z ) ) )

49 Nelson-Oppen: A Variation l Contribution : A Variation of Nelson-Oppen u The purification phase can be eliminated u Instead, simply partition the formulas according to the outer-most symbol Choose an arrangement A of the shared terms which appear in a term or formula belonging to another theory u For each theory, check if the set of literals assigned to that theory together with the arrangement is satisfiable u Terms with foreign symbols are treated as variables l Contributions of this variation u Fewer formulas given to each theory u Easier to implement u Easier to combine with Shostak

50 Combining Shostak and Nelson-Oppen l Theory requirements u Shostak requires convexity u Nelson-Oppen requires stable-infiniteness u Contribution : The following theorem relates the two Every convex first-order theory with no trivial models is stably-infinite u The proof is based on first-order compactness u Note: if a convex theory does admit trivial models, it can usually be modified to include the non-triviality axiom: x,y. x y

51 Combining Shostak and Nelson-Oppen l Contribution : An algorithm for combining the two methods Equalities are processed according to the Shostak algorithm to get a set of equalities E in solved form l All literals are partitioned as in the Nelson-Oppen variation The key idea is to consider the partial arrangement induced on the shared terms S by canon and E : A = : { a = b a, b S canon ( E ( a )) = canon ( E ( b )) } An arrangement A is chosen as in the Nelson-Oppen variation, but this arrangement must include A = This arrangement is automatically consistent with E u The non-Shostak theories are checked for consistency with the arrangement as before

52 Outline l Validity Checking Overview l Methods for Combining Theories l Implementation l Adapting Techniques from Propositional Satisfiability l Contributions and Conclusions

53 Implementation: Approach l Based on Nelson-Oppen and Shostak combination l Online algorithm l Optimizations A Union-Find data structure and an Update List are used to efficiently keep track of both E and A simultaneously u Simplify phase added u Each new formula is simplified u Enables rewrites that can reduce the number of shared terms l Flexible theory interface u Accommodates Nelson-Oppen theories, Shostak theories, and more

54 Implementation: Interface l Recall the top-level algorithm x > y y > x x = y l Choose an atomic formula l Consider two cases: u Add to the set of choices made and simplify Add to the set of choices made and simplify l Repeat until formula is true or set of choices is unsatisfiable Interface from top-level : AddFact, Simplify, Satisfiable true y > x x = yfalse y > x x = y true y > x x = y

55 AddFact Simplify Theory-specific code Top-level code Assert Equalities Rewrite Assert Formula Setup Term Satisfiable RewriteSolveUpdate AssertSetup AddSharedTerm CheckSat Satisfiable

56 AddFact Simplify Top-level code Assert Equalities Rewrite Assert Formula Setup Term Satisfiable p ( y ), s = update ( t, i, 0), x - y - z = 0, z + s [ i ] = f ( x - y ), p ( x - f ( f ( z ))) Uninterpreted Arrays Arithmetic (Shostak) E p ( y ) y y Update List

57 AddFact Simplify Top-level code Assert Equalities Rewrite Assert Formula Setup Term Satisfiable p ( y ), s = update ( t, i, 0), x - y - z = 0, z + s [ i ] = f ( x - y ), p ( x - f ( f ( z ))) Uninterpreted Arrays Arithmetic (Shostak) E s = update ( t, i, 0) 0 y p ( y ) 0 s = update ( t, i, 0) s =... Update List

58 AddFact Simplify Top-level code Assert Equalities Rewrite Assert Formula Setup Term Satisfiable p ( y ), s = update ( t, i, 0), x - y - z = 0, z + s [ i ] = f ( x - y ), p ( x - f ( f ( z ))) Uninterpreted Arrays Arithmetic (Shostak) E Update List x - y - z = 0 y p ( y ) 0 s = update ( t, i, 0) x = y + z s = update ( t, i, 0) x - y - z = 0 x = y + z y + z x =... y + z

59 AddFact Simplify Top-level code Assert Equalities Rewrite Assert Formula Setup Term Satisfiable p ( y ), s = update ( t, i, 0), x - y - z = 0, z + s [ i ] = f ( x - y ), p ( x - f ( f ( z ))) Uninterpreted Arrays Arithmetic (Shostak) E Update List z + s [ i ] = f ( x - y ) y p ( y ) 0 s = update ( t, i, 0) z = f ( z ) s = update ( t, i, 0) z = f ( z ) x = y + z y + z z=f (z)z=f (z) f (z)f (z) z + s [ i ] =... s[i]s[i] s[i]s[i] 0 0 z = f ( z ) z f ( z ) z = f ( z ) x - y z z z = f ( z )

60 AddFact Simplify Top-level code Assert Equalities Rewrite Assert Formula Setup Term Satisfiable p ( y ), s = update ( t, i, 0), x - y - z = 0, z + s [ i ] = f ( x - y ), p ( x - f ( f ( z ))) Uninterpreted Arrays Arithmetic (Shostak) E Update List p ( x - f ( f ( z ))) y p ( y ) 0 s = update ( t, i, 0) x = y + f ( z ) y + z = y + f ( z ) p ( x - …) z z f (z)f (z) f (z)f (z) p ( y ) z f ( z ) z = f ( z ) f ( f ( z )) f ( z ) z = f ( z ) x - f ( z ) y y p ( y ) Satisfiable

61 Implementation: Contributions l Better implementation of Nelson-Oppen u Online algorithm u Each theory only needs to consider a subset of the shared terms u Simplify phase u Can reduce number of shared terms u Equality reasoning is only done once u Simple algorithm with detailed proof u Flexible theory interface l Combined with Shostak u Generalizes original Shostak algorithm Efficient: same data structure for E and A

62 Outline l Validity Checking Overview l Methods for Combining Theories l Implementation l Adapting Techniques from Propositional Satisfiability u The Problem u Combining with SAT u Results l Contributions and Conclusions

63 The Problem l Recall the top-level algorithm x > y y > x x = y l Choose an atomic formula l Consider two cases: u Add to the set of choices made and simplify Add to the set of choices made and simplify l Repeat until formula is true or set of choices is unsatisfiable true y > x x = yfalse y > x x = y true y > x x = y

64 The Problem l The choice of which atomic formula to try next can make a dramatic difference in performance l SVC includes clever heuristics that improve performance significantly l We are convinced that better performance is possible u Equivalent formulas can vary significantly in performance u Research in a related area, Boolean satisfiability (SAT), has advanced significantly l Strategy : Find a way to apply SAT techniques to first-order validity checking

65 Combining with SAT: Approach l Generate SAT problem from validity-checking problem u Negate the formula whose validity is in question u Extract Boolean structure from resulting formula u Convert to CNF [Larabee 92] u Run SAT on converted formula l If SAT reports unsatisfiabile, the formula is valid l The inverse is not true u A satisfying assignment must be checked for first-order consistency

66 Combining with SAT: Initial Results l Implementation u GRASP SAT engine [Silva 96] u SVC2 l Initial results were disappointing u Examples of interest could not be proved by just considering Boolean structure u SAT techniques do not compensate for the loss of information resulting from translation to SAT l Idea : u Incrementally give SAT more information

67 Combining with SAT: Conflict Clauses l A conflict clause captures a minimal set of decisions that lead to a conflict and keeps SAT from ever making the same set of choices true y > x x yfalse y > x x y true x y f ( x ) = f ( y ) y > x x y true false true y > x x y Unsatisfiable f ( x ) f ( y ) y x x = y

68 Combining with SAT: Conflict Clauses l How do we get a conflict clause from the first-order satisfiability algorithm u Using all decisions too slow u Black-box minimization methods too slow l Solution : Use proof-production! u Aaron Stump has extended several SVC decision procedures to produce a proof for every result deduced u By looking at what assumptions are used in a proof of inconsistency, a conflict clause can be obtained

69 Results

70 Results: Preliminary Conclusions l Naïve approach does not work well l Adding conflict clauses results in dramatic speed-ups on several examples l Most helpful on formulas with more Boolean structure l Still more work to be done u Find out source of performance problems u Compare to related work u [Goel et al. 98] u [Bryant et al. 99]

71 Outline l Validity Checking Overview l Methods for Combining Theories l Implementation l Adapting Techniques from Propositional Satisfiability l Contributions and Conclusions

72 Thesis Contributions l A new presentation of the core of Shostaks algorithm u Easier to understand and prove correct u Can be applied directly to produce decision procedures u Forms the foundation of a generalization l A new variation of Nelson-Oppen u Eliminates purification phase u Fewer formulas given to each theory u Easier to implement u Easier to combine with Shostak l A new algorithm combining Shostak and Nelson-Oppen u Theoretical result relating convex and stable-infinite u Generalization of Shostaks original method

73 Thesis Contributions l A detailed and provably correct implementation u Online u Optimized to eliminate redundant equality reasoning u Optimized to reduce number of shared terms u Flexible theory API l Faster search by combining with SAT u Methodology and implementation for extracting CNF u Better performance via conflict clauses u Conflict clauses from proofs (with Aaron Stump) u Dramatic improvements on several examples

74 Future Work l Relaxing restrictions on theories and formulas u Non-disjoint signatures u Non-stably-infinite theories u Formulas with quantifiers l Individual Theories u Efficient implementation for Presburger arithmetic u Better techniques for accommodating third-party decision procedures l SAT u Understand cases where combination with SAT fails

75 Acknowledgements l Advisor: David Dill l Orals Committee: John Gill, Zohar Manna, John Mitchell, Natarajan Shankar l Stanford Associates: Aaron Stump, Jeremy Levitt, Satyaki Das, Jeffrey Xsu, Robert Jones, Vijay Ganesh, Kanna Shimizu, Husam Abu-Haimed, Jens Skakkebæk, David Park, Shankar Govindaraju, Madan Musuvathi, Chris Wilson l Others: Cesare Tinelli l SVC Users l Personal: Friends and family

76 Validity Checking Overview l Top-level Algorithm CheckValid(h,c) IF c = true THEN RETURN TRUE; IF !Satisfiable(h) THEN RETURN FALSE; IF c = false THEN RETURN FALSE; subgoals := ApplyTactic(h,c); FOREACH (h,c) in subgoals DO IF !CheckValid(h,c) THEN RETURN FALSE; RETURN TRUE; CheckValid(h,c) IF c = true THEN RETURN TRUE; IF !Satisfiable(h) THEN RETURN FALSE; IF c = false THEN RETURN FALSE; subgoals := ApplyTactic(h,c); FOREACH (h,c) in subgoals DO IF !CheckValid(h,c) THEN RETURN FALSE; RETURN TRUE; ApplyTactic(h,c) Let e be an atomic formula appearing in c; h1 := AddFact(h,e); c1 := Simplify(h1,c); h2 := AddFact(h,!e); c2 := Simplify(h2,c); RETURN {(h1,c1),(h2,c2)}; If CheckValid( T, ) = TRUE, then T =

77 Shostaks Method: Convexity l A set of literals S is convex in a theory T if T S does not entail any disjunction of equalities without entailing one of the equalities itself l A theory T is convex if every set of literals in the language of T is convex in T

78 Shostaks Method: Requirements on T l Shostak Theory T u Signature of T contains no predicate symbols u T is convex Canonizer such that a,b. T = a =b iff a = b Solver such that if T = a b, then a =b { false } u Otherwise: a =b = a set of equations E in solved form u T = a =b x. E, where x is the set of variables appearing in E, but not in a or b. u The variables in x are guaranteed to be fresh.

79 The Simplified Algorithm Given a set of equations and disequations Step 1: Use the solver to convert into an equisatisfiable set of equations E in solved form u Step 2: Use this set of equations together with the canonizer to check if any disequality is violated Suppose a b canon ( E ( a ) ) = canon ( E ( b ) ) T = E ( a ) = E ( b ) T E = a = b T E { a b } is unsatisfiable l Technical detail: The method is complete only for convex theories

80 Shostaks Method: The Algorithm Shostak,,, := ; WHILE DO BEGIN Remove some equality a = b from ; Let a:= a and b:= b ; Let := a= b ; IF = false THEN RETURN FALSE; Let := U ; END IF a = b for some a b in THEN RETURN FALSE; ELSE RETURN TRUE; Shostak(,,, ) = TRUE iff is satisfiable in T

81 Nelson-Oppen: Definitions l Theories must be stably-infinite u A theory T is stably-infinite if every quantifier-free formula is satisfiable in T iff it is satisfiable in an infinite model of T l Terminology for combinations of theories u Theories T 1, T 2, … T n with signatures 1, 2, … n u As with Shostak, signatures must be disjoint u Members of i are called i-symbols u An expression containing only i-symbols is called pure u An i-term is a constant i-symbol, an application of a functional i-symbol, or an i-variable u Each variable is associated arbitrarily with a theory

82 Nelson-Oppen: Definitions l Terminology for combinations of theories (continued) u An i-predicate is the application of a predicate i-symbol u An atomic i-formula is an i-predicate or an equation whose left-hand side is an i-term u An i-literal is an atomic i-formula or its negation u An occurrence of a term is i-alien if it is a j-term (i j) and all its super-terms are i-terms l If S is a set of terms, then an arrangement of S is a set of equations and disequations induced by a partition of S u S = { a, b, c } u Partition P = { { a, b }, { c } } u Arrangement : { a = b, a c, b c }

83 Nelson-Oppen: Purification Phase NO-Purify( ) WHILE != DO BEGIN Let be some i-literal in ; IF is pure THEN Remove from ; i := i U { }; ELSE Let t be an i-alien j-term in ; Replace every occurrence of t in with a new j-variable z; := U { j = t }; ENDIF END RETURN 1^…^ n; is satisfiable in T iff 1 ^ 2 ^ … n is satisfiable in T

84 Nelson-Oppen: Check Phase NO-Check( 1,... n,Sat1,…,Satn) Let S be the set of variables which appear in more than one i; Let A be an arrangement of S; sat := TRUE; FOREACH i DO BEGIN sat := sat ^ Sati( i^A); END RETURN sat; l The second step is non-deterministic 1 ^ 2 ^ … n is satisfiable in T iff it is possible for NO-Check to return TRUE l If the theories are convex, the algorithm can be determinized inexpensively

85 Nelson-Oppen: A Variation l The purification phase can be eliminated l S is a set of terms rather than a set of variables l In calls to Sat i, i-alien terms are treated as variables NO-Check(,Sat 1,…,Sat n ) Let S be the set of terms which are i-alien in either an i-literal or an i-term in ; Let A be an arrangement of S; sat := TRUE; FOREACH set of i-literals i in DO BEGIN sat := sat ^ Sat i ( i^A); END RETURN sat;

86 Combining Shostak and Nelson-Oppen NO-Shostak(,,,Sat NO ) Let S be the set of shared terms; Let be the 1-equalities, the 1-disequalities, and NO the 2-literals in ; := ; LOOP BEGIN IF !Sat NO ( NO ^A = ) THEN RETURN FALSE; ELSE IF !Sat NO ( NO ^A) THEN Choose a,b from S such that T 2 NO A |= a=b, but a=b A = ELSE IF = THEN BREAK; ELSE Remove some equality a = b from ; Let a:= (a) and b:= (b); Let := (a= b); IF = {false} THEN RETURN FALSE; Let := ( ) U ; END IF A THEN RETURN TRUE; ELSE RETURN FALSE;

87 Combining Shostak and Nelson-Oppen NO-Shostak(,, ) := ;S := ; LOOP BEGIN IF t1=f(x 1,…,x n ), t 2 =f(y1,…,yn) with t1,t2 in S and norm(xi)=norm(yi) but norm(t1) != norm(t2) THEN a := t1, b := t2; ELSE IF = THEN RETURN TRUE; ELSE Remove some equality a = b from ; Let a:= can(a) and b:= can(b); Add each sub-term of a,b to S; Let := (a= b); IF = {false} THEN RETURN FALSE; Let := ( ) U ; END RETURN TRUE;

88 Individual Theories l SVC contains decision procedures for a number of individual theories u Pure equality with uninterpreted functions u Real linear arithmetic u Arrays u Bit-vectors u Records l In our efforts to revisit and improve these decision procedures, a number of interesting issues were uncovered u Finite domains u Strategies for arithmetic

89 Finite Domains l Theoretical technicalitiy u Cannot directly combine a theory with only finite models u Not stably-infinite u Union of theories likely to actually be inconsistent u Solution: Form an extended theory whose relativized reduct with respect to a new predicate P is the theory with a finite domain. l Implementation strategy for nonconvexity u Keep track of the terms for which P holds u Use graph coloring to determine satisfiability

90 Arithmetic l Suppose we want to handle linear arithmetic formulas with mixed variable types: some real and some integer. l One approach is the following: u Split weak inequalities into the disjunction of an equation and a strong inequality u Use Shostak-style solver to eliminate all equations that can be solved for a real variable u Use Fourier-Motzkin techniques to eliminate all real variables from inequalities u Eliminate disequalities which can be solved for a real variable u Whats left can be done with Presburger decision procedures

91 Math symbols ()

Download ppt "Checking Validity of Quantifier-Free Formulas in Combinations of First-Order Theories Clark W. Barrett Ph.D. Dissertation Defense Department of Computer."

Similar presentations

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,

A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
The simplex algorithm The simplex algorithm is the classical method for solving linear programs. Its running time is not polynomial in the worst case.

The simplex algorithm The simplex algorithm is the classical method for solving linear programs. Its running time is not polynomial in the worst case.
NP-Hard Nattee Niparnan.

NP-Hard Nattee Niparnan.
1 Constraint operations: Simplification, Optimization and Implication.

1 Constraint operations: Simplification, Optimization and Implication.
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.

On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.
Automated Reasoning Systems For first order Predicate Logic.

Automated Reasoning Systems For first order Predicate Logic.
© The McGraw-Hill Companies, Inc., 2005 8 - 1 Chapter 8 The Theory of NP-Completeness.

© The McGraw-Hill Companies, Inc., Chapter 8 The Theory of NP-Completeness.
1.2 Row Reduction and Echelon Forms

1.2 Row Reduction and Echelon Forms
Linear Equations in Linear Algebra

Linear Equations in Linear Algebra
Lesson 8 Gauss Jordan Elimination

Lesson 8 Gauss Jordan Elimination
Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.

Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.

1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
1 Deciding separation formulas with SAT Ofer Strichman Sanjit A. Seshia Randal E. Bryant School of Computer Science, Carnegie Mellon University.

1 Deciding separation formulas with SAT Ofer Strichman Sanjit A. Seshia Randal E. Bryant School of Computer Science, Carnegie Mellon University.

Similar presentations

Ads by Google