Ofer Strichman, Technion Deciding Combined Theories

Technion So far we know how to… Decide Equality Logic with Uninterpreted Functions: ( x 1 = x 2 ) Ç : ( f ( x 2 ) = x 3 ) Æ … Decide Disjunctive Linear arithmetic: 3 x x 2 ¸ 2 x 3 Æ x 2 · 4 x 4 … What about a combined formula ? ( x 2 ¸ x 1 ) Æ ( x 1 - x 3 ¸ x 2 ) Æ ( x 3 ¸ 0) Æ f ( f ( x 1 ) - f ( x 2 ))  f ( x 3 )

Technion We also know how to… Decide bit-vector equations a[32] £ b[32] = b[32] £ a[32] But how shall we decide f (a[32], b[1]) = f (b[32], a[1]) Æ a[32] = b[32]

Technion More combination examples: Combining lists, arithmetic and Uninterpreted Functions: ( x 1 · x 2 ) Æ ( x 2 · x 1 + car ( cons (0, x 1 ))) Æ p ( h ( x 1 ) – h ( x 2 )) Æ :p (0) Combining Arrays and Arithmetic: x = store( v, i, e )[ j ] Æ y = v [ j ] Æ x > e Æ x > y

Technion Combining theories Approach #1: Reduce all theories to a common logic, if possible (e.g. Propositional Logic).  All un-quantified theories we saw so far are in NP.  We saw their direct translation to SAT (i.e. not through a Turing-machine). Approach #2: Combine decision procedures of the individual theories.  How? we will learn the Nelson-Oppen method* * Greg Nelson and Derek Oppen, simplification by cooperating decision procedures, 1979

Technion Reminders: theories and signatures First order logic –  Symbols (Boolean connectives and quantifiers over variables), Syntax (wff-s ).  Axioms, inference rules. First order theories –  Additional axioms and symbols characterizing the theory.  The signature  of a theory T holds the set of functions and predicates of the theory. “First order quantifier-free theories with equality” – the equality predicate must be part of the signature.

Technion The Theory-Combination problem Given theories T 1 and T 2 with signatures  1 and  2, the combined theory T 1 © T 2  has signature  1 [  2 and  the union of their axioms. Let  be a  1 [  2 formula. The problem: Does T 1 © T 2 ² 

Technion The problem The Theory-Combination problem is undecidable (even when the individual theories are decidable). Under certain restrictions, it becomes decidable. We will assume the following restrictions:  T  and T  are decidable, quantifier-free first-order theories with equality.  Disjoint signatures (other than equality):   Å   = ;  More restrictions to follow…

Technion The Nelson-Oppen method (1) Purification: validity-preserving transformation of the formula after-which sub-expressions from different theories are not mixed. 1. Replace an `alien’ sub-expression  with a new auxiliary variable a 2. Constrain the formula with a =  Transform x  ·  f  x   … into x  ·  a   Æ  a   f  x   Arithmetic Uninterpreted Functions Pure expressions, shared variables

Technion The Nelson-Oppen method (2) After purification we are left with several sets of pure expressions F 1 … F n such that:  F i belongs to some ‘pure’ theory which we can decide.  Shared variables are allowed, i.e. it is possible that for some i, j, vars ( F i ) Å vars ( F j )  ;.   is satisfiable $ F 1 Æ … Æ F n is satisfiable

Technion The Nelson-Oppen method* (3) 1. Purify  into F 1 Æ … Æ F n. 2. If 9i. F i is unsatisfiable, return `unsatisfiable’. 3. If 9i, j. F i implies an equality not implied by F j, add it to F j and goto step Return `satisfiable’. * So far only for ‘non-convex’ theories – to be explained

Technion Example (1) ( x 1 · x 2 ) Æ ( x 2 · ( x 1 + car ( cons (0, x 1 )))) Æ p ( h ( x 1 ) – h ( x 2 )) Æ :p (0) Purification: ( x 1 · x 2 ) Æ ( x 2 · x 1 + a 1 ) Æ p ( y 2 ) Æ :p (0) Æ a 1 = car ( cons ( a 5, x 1 )) Æ a 2 = a 3 – a 4 Æ a 3 = h ( x 1 ) Æ a 4 = h ( x 2 ) Æ a 5 = 0

Technion Example (1), cont’d ArithmeticEUFLists x 1 · x 2 x 2 · x 1 + a 1 a 2 = a 3 – a 4 a 5 = 0 a 3 = h ( x 1 ) a 4 = h ( x 2 ) p ( a 2 ) :p ( a 5 ) a 1 = car ( cons ( a 5, x 1 )) a 1 = a 5 x 1 = x 2 a 1 = a 5 x 1 = x 2 a 3 = a 4 a 2 = a 5 False

Technion Example(2) ( x 2 ¸ x 1 ) Æ ( x 1 – x 3 ¸ x 2 ) Æ ( x 3 ¸ 0) Æ f ( f ( x 1 ) – f ( x 2 ))  f ( x 3 ) Purification: ( x 2 ¸ x 1 ) Æ ( x 1 – x 3 ¸ x 2 ) Æ ( x 3 ¸ 0) Æ f (a 1 )  f ( x 3 ) Æ a 1 = a 2 – a 3 Æ a 2 = f ( x 1 ) Æ a 3 = f ( x 2 )

Technion Example (2) – cont’d ArithmeticEUF x 2 ¸ x 1 x 1 – x 3 ¸ x 2 x 3 ¸ 0 a 1 = a 2 – a 3 f (a 1 )  f ( x 3 ) a 2 = f ( x 1 ) a 3 = f ( x 2 ) x 3 = 0 x 1 = x 2 a 2 = a 3 a 1 = 0 False

Technion Wait, it’s not so simple… Consider:  : 1 · x Æ x · 2 Æ p ( x ) Æ :p (1) Æ :p (2 ) x2Zx2Z Neither theories imply an equality, and both are satisfiable. But  is unsatisfiable! Arithmetic over Z Uninterpreted predicates 1 · x x · 2 p ( x ) :p (1) :p (2)

Technion Some theories have it, some don’t Definition: A theory T is convex if for all conjunctions  it holds that  ! Ç i=1.. n x i = y i for some n > 1,  ! x i = y i for some i 2 {1..n} where x i, y i are some T variables. Convex: Linear Arithmetic over R, EUF Non-convex: Almost anything else…

Technion Convexity: examples Linear arithmetic over R without ‘ £ ’ is convex  : x 1 · 1 Æ x 1 ¸ 0 implies an infinite disjunction of equalities,  : x 1 · 1 Æ x 1 ¸ 1 ! x 1 = 1 implies a singleton  : x 1 · 1 Æ x 1 ¸ 2implies everything Linear arithmetic over Z is not convex  : 1 · x 1 Æ x 1 · 2 Although  ! ( x 1 = 1 Ç x 1 =2) It is not the case that  ! x 1 = 1 Ç  ! x 1 = 2

Technion So why is convexity important ? Recall:  : 1 · x Æ x · 2 Æ p ( x ) Æ :p (1) Æ :p (2) x2Z Neither theories imply an equality, and both are satisfiable. Arithmetic over Z Uninterpreted predicates 1 · x x · 2 p ( x ) :p (1) :p (2)

Technion So why is convexity important ? (cont’d) But: 1 · x Æ x · 2 imply the disjunction x = 1 Ç x = 2 Since the theory is non-convex we cannot propagate either x =1 or x =2. We can only propagate the disjunction itself.

Technion So why is convexity important ? (cont’d) Propagate the disjunction and perform case-splitting. Arithmetic over Z Uninterpreted predicates 1 · x x · 2 p ( x ) :p (1) Æ:p (2) x = 1 Ç x = 2 h¢i Æ x = 1 False h¢i Æ x = 2 False Split!

Technion So why is convexity important? (cont’d) Conclusion: when the theory is non-convex, we must case-split. This adds a splitting step in Nelson-Oppen. As a result:  Convex theories: Polynomial  Non-Convex theories: Exponential

Technion The (full) Nelson-Oppen method 1. Purify  into  ’: F 1 Æ…Æ F n. 2. If 9i. F i is unsatisfiable, return `unsatisfiable’. 3. If 9i, j. F i implies an equality not implied by F j, add it to F j and goto step If 9i. F i ! ( x 1 = y 1 Ç…Ç x k = y k ) but 8j F i 9 x j = y j, apply recursively to  ’ Æ x 1 = y 1, …,  ’ Æ x k = y k. If any of them is satisfiable, return ‘satisfiable’. Otherwise return ‘unsatisfiable’. 5. Return `satisfiable’.

Technion Correctness is hard to prove… We will prove correctness for the case of combining two convex theories. The generalization is not hard. The proof is based on [NO79]. (  ) If N.O. returns ‘unsatisfiable’ in line 2,  is unsatisfiable. (That’s the simple side)  Proof: Purification in line 1 guarantees that  is unsat iff F 1 ÆF 2 is unsat. In line 2 we return unsat only if F 1 or F 2 are unsat. (  ) If N.O. returns ‘satisfiable’,  is satisfiable. (This will require several definition and lemmas)

Technion Proof (  ) Dfn: A residue of a formula , denoted Res(  ), is the strongest Equality Logic formula implied by . Res( x = f ( a ) Æ y = f ( b )) is a = b ! x = y Res( x· y Æ y· x ) is x = y Lemma 1: For any formula F, there exists a formula Res( F )

Technion Proof (  ) Recall: the Logical symbols of a formula are those shared by all first-order theories. We consider `=‘ as a logical symbol. The Non-logical symbols are theory-specific. Dfn: The parameters of a formula , denoted param (  ), are the non-logical un-quantified symbol in . Craig’s Interpolation Lemma: if A and B are formulas such that A ! B, then there exists a formula H such that A ! H and H ! B, and param( H ) µ param( A ) Å param( B ).

Technion Proof (  ) Lemma 2: if F 1 and F 2 are formulas with disjoint signatures, Res( F 1 Æ F 2 ) $ (Res( F 1 ) Æ Res( F 2 )). Proof: (  )  F 1 ! Res( F 1 ), F 2 ! Res( F 2 ),  F 1 Æ F 2 ! Res( F 1 ) Æ Res( F 2 )  Res( F 1 Æ F 2 ) ! Res( F 1 ) Æ Res( F 2 ) // * * The consequence (RHS) is Equality Logic, hence it is implied by the residue of the Antecedent (LHS).

Technion Proof of Lemma 2 (  ) F 1 Æ F 2 ! Res( F 1 Æ F 2 )  F 1 ! ( F 2 ! Res( F 1 Æ F 2 )) There exists an interpolant H such that ( F 1 ! H ) Æ ( H ! ( F 2 ! Res( F 1 Æ F 2 ))) Can be rewritten as (Res( F 1 ) ! H ) Æ ( H ! ( F 2 ! Res( F 1 Æ F 2 ))) because H is an Equality Logic formula, and hence e verything implied by F 1 is also implied by Res( F 1 ). (1) (2) (3) (4) Why is H an Equality Logic formula? because param(RES( F 1 Æ F 2 )) = {} //Equality Logic formula and param(F 1 ) Å param(F 2 ) = {}

Technion Proof of Lemma 2 (  ) Since Res( F 1 Æ F 2 ) is also an Equality Logic formula: (Res( F 1 ) ! H) Æ (H ! (Res(F 2 ) ! Res( F 1 Æ F 2 ))) which implies (Res( F 1 ) ! (Res( F 2 ) ! Res( F 1 Æ F 2 ))) and hence (Res( F 1 ) Æ Res( F 2 )) ! Res( F 1 Æ F 2 ) q.e.d (Lemma 2): Res( F 1 ) Æ Res( F 2 ) $ Res( F 1 Æ F 2 ) (5) (6) (7)

Technion Proof of lemma 2 (  ) So we have Res( F 1 ) ! (H ! ( F 2 ! (Res(F 2 ) ! Res( F 1 Æ F 2 ))))  Res( F 1 ) ! (Res( F 2 ) ! Res( F 1 Æ F 2 ))  Since the right hand side is Equalities, then everything implied by F 1 is also implied by Res( F 1 ). Hence, (Res( F 1 ) Æ Res( F 2 )) ! Res( F 1 Æ F 2 ) q.e.d (Lemma 2): Res( F 1 ) Æ Res( F 2 ) $ Res( F 1 Æ F 2 )

Technion Lemma 3 Lemma 3:  Let F 1 and F 2 be satisfiable Equality Logic formulas s.t. V = vars( F 1 ) [ vars( F 2 ). 8x, y 2 V, ( F 1 ! x = y Æ F 2 ! x = y ) or ( F 1 9 x = y Æ F 2 9 x = y )  Then, F 1 Æ F 2 is satisfiable. Proof: Let  S = the set of all equalities implied by both F 1 and F 2  T = the rest of the possible equalities in V.   = an assignment s.t. 8eq 2 S  ² eq, 8eq 2 T,  2 eq  Claim:  ² F 1 Æ F 2

Technion Proof of Lemma 3 Falsely assume that  2 F 1 Then, Æ eq 2 T : eq is what makes this formula unsat  Why? because 1. F 1 itself is sat, and 2. Due to monotonicity of NNF, S cannot make it unsat  Hence F 1 ! Ç eq 2 T eq If 9 eq 2 T. F 1 ! eq, then eq 2 S (contradiction) Otherwise, F 1 is non-convex (contradiction) q.e.d (Lemma 3)

Technion Proof (  ) Now suppose N.O. returns SAT although F 1 Æ F 2 is unsatisfiable. Res( F 1 Æ F 2 ) = false Hence, by Lemma 2, Res( F 1 ) Æ Res( F 2 ) = false

Technion Proof (  ) On the other hand, in step 4, where we return ‘SAT’, we know that  F 1 and F 2 are separately satisfiable  F 1 and F 2 imply exactly the same equalities.  Thus, Res( F 1 ) and Res( F 2 ) are satisfiable and imply the same equalities. Hence, according to Lemma 3, Res( F 1 ) Æ Res( F 2 ) is also satisfiable, i.e. Res( F 1 ) Æ Res( F 2 )  false (contradiction). Q.E.D (N.O.)

Technion More problems… Definition: A  -theory T is Stably-infinite if for every quantifier-free  -formula   is satisfiable,  can be satisfied by an interpretation with an infinite domain. This is the opposite of the small-model-property. Specifically, this means that no theory with a finite domain is stably infinite.

Technion Problem: non-stably infinite theories Consider a theory T 1 :   1 : A function f,  Axioms that only allow solutions with 2 elements. And a theory T 2 :   2 : A function g,  Domain: N So this formula is unsatisfiable:  f ( x 1 )  f ( x 2 ) Æ g ( x 1 )  g ( x 3 ) Æ g ( x 2 )  g ( x 3 ) Recall that the combined theory T 1 © T 2 has the union of the axioms. Hence the solution to any formula  2 T 1 © T 2 cannot have more than 2 elements.

Technion Problem: non-stably infinite theories  f ( x 1 )  f ( x 2 ) Æ g ( x 1 )  g ( x 3 ) Æ g ( x 2 )  g ( x 3 ) T1T1 T2T2 f ( x 1 )  f ( x 2 ) g ( x 1 )  g ( x 3 ) g ( x 2 )  g ( x 3 ) No equalities to propagate: Satisfiable !

Technion Solution to non-stable infinite theories Nelson-Oppen method cannot be used. Recently a solution to this problem was suggested by Tinelli & Zarba [TZ05]  Assuming all combined theories are stably-finite (i.e. has a small model property), it computes the upper bound on the minimal satisfying assignment, and propagates this information between the theories.

Technion Solution to non-stable infinite theories Nelson-Oppen method cannot be used. Recently a solution to this problem was suggested by Tinelli & Zarba [TZ05]  Assume all combined theories are stably finite (i.e. have a small model property), and one has only finite models. The bound N i on the minimal satisfying assignment of formulas in theory T i is computable.  Transfer N i between theories.  If there is no solution to theory j with cardinality at least N_i (for all i), return unsatisfiable.  …