1 Decision Procedures An algorithmic point of view Equality Logic and Uninterpreted Functions

2 Outline Introduction  Definition, complexity  Reducing Uninterpreted Functions to Equality Logic  Using Uninterpreted Functions in proofs  Simplifications Introduction to the decision procedures  The framework: assumptions and normal forms  General terms and notions  Solving a conjunction of equalities  Simplifications

3 Equality Logic A Boolean combination of Equalities and Propositions x 1 =x 2 Æ ( x 2 = x 3 Ç : (( x 1 = x 3 ) Æ b Æ x 1 = 2)) We will always push negations inside (NNF): x 1 =x 2 Æ ( x 2 = x 3 Ç (( x 1  x 3 ) Ç : b Ç x 1  2)) Note: the set of Boolean variables is always separate from the set of term variables

4 Equality Logic: the grammar formula : formula Ç formula | : formula | atom atom : term-variable = term-variable | term-variable = constant | Boolean-variable term-variables are defined over some (possible infinite) domain. The constants are from the same domain.

5 Expressiveness and complexity Allows more natural description of systems, although technically it is as expressible as Propositional Logic. Clearly NP-hard. In fact, it is in NP, and hence NP-complete, for reasons we shall see later.

6 Equality logic with uninterpreted functions formula : formula Ç formula | : formula | atom atom : term = term | Boolean-variable term: term-variable | function ( list of terms ) term-variables are defined over some (possible infinite) domain. Note that constants are functions with empty list of terms.

7 What is an uninterpreted function ? The signature  includes in addition to equality, function and predicate symbols. The theory restricts the interpretation of these symbols by a single axiom. For n -ary function F : Sometimes, functional consistency is all that is needed for the proof.

8 Uninterpreted Functions Uninterpreted functions are used for abstraction. Example: replace ‘ + ’ with an uninterpreted Binary function f ( h 1 st arg i, h 2 nd arg i ) For example: x 1 + x 2 = x 3 +x 4 is replaced with f can represent any binary function, not just +.

9 Example: Circuit Transformations Circuits consist of combinational gates and latches (registers) The combinational gates can be modeled using functions The latches can be modeled with variables R1R1 I Latch Combi- national part

10 Example: Circuit Transformations Some function, say I >> 5 Some other function, say L1 & … Some bitvector Input Some condition on L2

11 Example: Circuit Transformations A pipeline processes data in stages Data is processed in parallel – as in an assembly line Formal Model: Stage 1 Stage 3 Stage 2

12 Example: Circuit Transformations The maximum clock frequency depends on the longest path between two latches Note that the output of g is used as input to k We want to speed up the design by postponing k to the third stage Also note that the circuit only uses one of L 3 or L 4, never both  We can remove one of the latches

13 Example: Circuit Transformations = ?

14 Example: Circuit Transformations Equivalence in this case holds regardless of the actual functions Conclusion: can be decided using Equality Logic and Uninterpreted Functions

15 For each function in  UF :  Number function instances (from the inside out)  Replace each function instance with a new variable  Condition  UF with a functional consistency constraint for every pair of instances of the same function. UFs  Equality Logic: Ackermann’s reduction F 2 ( F 1 ( x )) = 0 f 2 = 0 F ( ), G ( ),… (( x = f 1 )  f 1 = f 2 )  f 2 =0) Given a formula  UF with uninterpreted functions f1f1 f2f2

16 Ackermann’s reduction : Example Given the formula ( x 1  x 2 ) Ç ( F ( x 1 ) = F ( x 2 )) Ç ( F ( x 1 )  F ( x 3 )) which we want to check for validity, we first number the function instances: ( x 1  x 2 ) Ç ( F 1 ( x 1 ) = F 2 ( x 2 )) Ç ( F 1 ( x 1 )  F 3 ( x 3 ))

17 Ackermann’s reduction : Example ( x 1  x 2 ) Ç ( F 1 ( x 1 ) = F 2 ( x 2 )) Ç ( F 1 ( x 1 )  F 3 ( x 3 )) Replace each function with a new variable, ( x 1  x 2 ) Ç ( f 1 = f 2 ) Ç ( f 1  f 3 ) Condition with Functional Consistency constraints:

18 Given a formula  UF with UFs For each function in  UF :  Number function instances (from the inside out)  Replace a function instance F i with an expression case x 1 = x i : f 1 x 2 = x i : f 2 x i-1 =x i : f i-1 true : f i UFs  Equality Logic: Bryant’s reduction F 1 ( x 1 ) = F 2 ( x 2 ) F ( ), G ( ),… case x 1 = x 2 : f 1 true :  f 2 f 1 =

19 Given a formula  UF with UFs For each function in  UF :  Number function instances (from the inside out)  Replace a function instance F i with an expression case x 1 = x i : f 1 x 2 = x i : f 2 x i-1 =x i : f i-1 true : f i UFs  Equality Logic: Bryant’s reduction F 1 ( x 1 ) = F 2 ( x 2 ) F ( ), G ( ),… ( x 1 = x 2 → f 1 = f 1 ) Æ ( x 1  x 2 → f 1 = f 2 )

20 Bryant’s reduction: Example x 1 = x 2  F 1 ( G 1 ( x 1 )) = F 2 ( G 2 ( x 2 )) Replace each function with an expression where

21 Using UFs in proofs Uninterpreted functions gives us the ability to represent an abstract view of functions. It over-approximates the concrete system = 1 is a contradiction But F (1,1) = 1 is satisfiable ! Conclusion: unless we are careful, we can give wrong answers and this way lose soundness.

22 Using UFs in proofs In general a sound and incomplete method is more useful than unsound and complete. A sound but incomplete algorithm: Given a formula with uninterpreted functions  UF :  Transform it to Equality Logic formula  E  If  E is unsatisfiable return Unsatisfiable  Else return ‘Don’t know’

23 Using UFs in proofs Question #1: is this useful ? Question #2: can it be made complete in some cases ? When the abstract view is sufficient for the proof, it enables (or simplifies) a mechanical proof. So when is the abstract view sufficient ?

24 Using UFs in proofs (cont’d) (common) Proving equivalence between:  Two versions of a hardware design e.g., one with and one without a pipeline  Source and target of a compiler (“Translation Validation”) (rare) Proving properties that do not rely on the exact functionality of some of the functions.

25 Example: Translation Validation Assume the source program has the statement z = ( x 1 + y 1 )  ( x 2 + y 2 ) which the compiler turned into: u 1 = x 1 + y 1 ; u 2 = x 2 + y 2 ; z = u 1  u 2 ; We need to prove that: ( u 1 = x 1 + y 1  u 2 = x 2 + y 2  z = u 1  u 2 )  z = ( x 1 + y 1 )  ( x 2 + y 2 )

26 Example (cont’d) ( u 1 = x 1 + y 1  u 2 = x 2 + y 2  z = u 1  u 2 )  z = ( x 1 + y 1 )  ( x 2 + y 2 ) ( u 1 = F 1 ( x 1, y 1 )  u 2 = F 2 ( x 2, y 2 )  z = G 1 ( u 1, u 2 ))  z = G 2 ( F 1 ( x 1, y 1 ), F 2 ( x 2, y 2 )) Claim: is valid We will prove this by reducing it to an Equality Logic formula  UF :

27 Uninterpreted Functions: usability Good: each function on the left can be mapped to a function on the right with equivalent arguments Bad: almost all other cases Example: LeftRight x + x 2 x

28 Uninterpreted Functions: usability This is easy to prove: x1 = x2  y1 = y2  x1 + y1 = x2 + y2x1 = x2  y1 = y2  x1 + y1 = x2 + y2 This requires knowledge on commutativity: x 1 = y 2  y 1 = x 2  x 1 + y 1 = x 2 + y 2 easy fix: ((x 1 = x 2  y 1 = y 2 )  ( x 1 = y 2  x 2 = y 1 ))  f 1 = f 2 What about other cases ? use Rewriting rules

29 Example: equivalence of C programs (1/4) These two functions return the same value regardless if it is ‘*’ or any other function. Conclusion: we can prove equivalence by replacing ‘*’ with an Uninterpreted Function Power3 (int in ) { out = in ; for ( i =0; i < 2; i ++) out = out * in ; return out ; } Power3 _ new (int in ) { out = ( in * in )* in ; return out ; }

30 Example: equivalence of C programs (1/4) But first… we need to know how to write programs as equations. We will learn one out of several options, namely Static Single Assignment for Bounded programs. Power3 (int in ) { out = in ; for ( i =0; i < 2; i ++) out = out * in ; return out ; } Power3 _ new (int in ) { out = ( in * in )* in ; return out ; }

31 From programs to equations Static Single Assignment (SSA) form Ma ze???

32 Static Single Assignment form In this case we can replace  with a guard: y 3 Ã x 2 < 3 ? y 1 : y 2 Problem: What do we do with loops ?

33 SSA for bounded programs For each loop i in a given program, let k i be a bound on its iteration count. Unroll the program according to the bounds. We are left with statements and conditions.

34 SSA for bounded programs : x = 0; while (x < y) { x++; z = z + y; } x = 0; z = z * 2; Let k 1 = 2  …  x 0 = 0  guard 0 = x 0 < y 0  x 1 = guard 0 ? x 0 + 1: x 0  z 1 = guard 0 ? z 0 + y 0 : z 0  guard 1 = x 1 < y 0  x 2 = guard 1 ? x 1 + 1: x 1  z 2 = guard 1 ? z 1 + y 0 : z 1  x 4 = 0  z 3 = z 2 * 2

35 Example: equivalence of C programs (2/4) Power3 (int in ) { out = in ; for ( i =0; i < 2; i ++) out = out * in ; return out ; } Power3 _ new (int in ) { out = ( in * in )* in ; return out ; } out 0 = in Æ out 1 = out 0 * in Æ out 2 = out 1 * in out ’ 0 = ( in ’ * in ’ ) * in ’ Prove that both functions return the same value ( out 2 = out ’ 0 ) given that in = in ’ Static Single Assignment (SSA) form:

36 Example: equivalence of C programs (3/4) out 0 = in Æ out 1 = out 0 * in Æ out 2 = out 1 * in out ’ 0 = ( in ’ * in ’ ) * in ’ With Uninterpreted Functions: out 0 = in Æ out 1 = F 1 ( out 0, in ) Æ out 2 = F 2 ( out 1, in ) out ’ 0 = F 4 ( F 3 ( in ’, in ’ ), in ’ ) Static Single Assignment (SSA) form:

37 Example: equivalence of C programs (4/4) With Uninterpreted Functions: out 0 = in Æ out 1 = F 1 ( out 0, in ) Æ out 2 = F 2 ( out 1, in ) out ’ 0 = F 4 ( F 3 ( in ’, in ’ ), in ’ )  E a : out 0 = in Æ out 1 = f 1 Æ out 2 = f 2  E b : out ’ 0 = f 4 Ackermann’s reduction: The Verification Condition (“the proof obligation”) (( out 0 = out 1 Æ in = in ) ! f 1 = f 2 ) Æ (( out 0 = in ’ Æ in = in ’) ! f 1 = f 3 ) Æ (( out 0 = f 3 Æ in = in ’) ! f 1 = f 4 ) Æ (( out 1 = in ’ Æ in = in ’) ! f 2 = f 3 ) Æ (( out 1 = f 3 Æ in = in ’) ! f 2 = f 4 ) Æ (( in ’ = f 3 Æ in ’ = in ’) ! f 3 = f 4 ) Æ ( in = in ’) Æ  E a Æ  E b ! out 2 = out ’ 0

38 Uninterpreted Functions: simplifications Let n be the number of function instances of F () Both reduction schemes require O( n 2 ) comparisons This can be the bottleneck of the verification effort Solution: try to guess the pairing of functions Still sound: wrong guess can only make a valid formula invalid

39 UFs: simplifications (1) Given that x 1 = x 1 ’, x 2 = x 2 ’, x 3 = x 3 ’, prove ² o 1 = o 2 o 1 = ( x 1 + ( a ¢ x 2 ))  a = x 3 + 5Left f1 f2f1 f2 o 2 = ( x 1 ’ + ( b ¢ x 2 ’))  b = x 3 ’ + 5Right f3f4f3f4 4 function instances  6 comparisons

40 UFs: simplifications (2) o 1 = ( x 1 + ( a ¢ x 2 ))  a = x 3 + 5Left f1 f2f1 f2 o 2 = ( x 1 ’ + ( b ¢ x 2 ’))  b = x 3 ’ + 5Right f3f4f3f4 Guess: validity of equivalence does not rely on f 1 = f 2 or on f 3 = f 4 Conclusion: only enforce functional consistency of pairs (Left,Right)

41 UFs: simplifications (3) Down to 4 comparisons… (from n ( n -1)/2 to n 2 /4) Another Guess: validity of equivalence only depends on f 1 = f 3 and f 2 = f 4 Pattern matching can be useful here... o 1 = ( x 1 + ( a ¢ x 2 ))  a = x 3 + 5Left f 1 f 2 o 2 = ( x 1 ’ + ( b ¢ x 2 ’))  b = x 3 ’ + 5Right f 3 f 4

42 UFs: simplifications (4) + ¢ in f1, f3f1, f3 + 5 f2, f4f2, f4 Match according to patterns (‘signatures’): Down to 2 comparisons… o 1 = ( x 1 + ( a ¢ x 2 ))  a = x 3 + 5Left f 1 f 2 o 2 = ( x 1 ’ + ( b ¢ x 2 ’))  b = x 3 ’ + 5Right f 3 f 4

43 UFs: simplifications (5) f1, f3f1, f3 Propagate through intermediate variables: + in ¢ o 1 = ( x 1 + ( a ¢ x 2 ))  a = x 3 + 5Left f 1 f 2 o 2 = ( x 1 ’ + ( b ¢ x 2 ’))  b = x 3 ’ + 5Right f 3 f 4 var in ¢ + 5

44 Same example  map F 1 to F 3 out 0 = in Æ out 1 = out 0 * in Æ out 2 = out 1 * in out ’ 0 = ( in ’ * in ’ ) * in ’ With Uninterpreted Functions: out 0 = in Æ out 1 = F 1 ( out 0, in ) Æ out 2 = F 2 ( out 1, in ) out ’ 0 = F 4 ( F 3 ( in ’, in ’ ), in ’ ) Static Single Assignment (SSA) form: F in F F  map F 2 to F 4

45 Same example, smaller Verification Condition With Uninterpreted Functions: out 0 = in Æ out 1 = F 1 ( out 0, in ) Æ out 2 = F 2 ( out 1, in ) out ’ 0 = F 4 ( F 3 ( in ’, in ’ ), in ’ )  E a : out 0 = in Æ out 1 = f 1 Æ out 2 = f 2  E b : out ’ 0 = f 4 Ackermann’s reduction: The Verification Condition has shrunk: (( out 0 = in ’ Æ in = in ’) ! f 1 = f 3 ) Æ (( out 1 = f 3 Æ in = in ’) ! f 2 = f 4 ) Æ ( in = in ’) Æ  E a Æ  E b ! out 2 = out ’ 0

46 now with Bryant’s reduction: With Uninterpreted Functions: out 0 = in Æ out 1 = F 1 ( out 0, in ) Æ out 2 = F 2 ( out 1, in ) out ’ 0 = F 4 ( F 3 ( in ’, in ’ ), in ’ )  E a : out 0 = in Æ out 1 = f 1 Æ out 2 = f 2  E b : out ’ 0 = case case in ’= out o Æ in ’= in : f 1 true: f 3 =out 1 Æ in ’ =in :: f 2 true: f 4 Bryant’s reduction: The Verification Condition (“the proof obligation”) Prove validity of:  E a Æ  E b Æ in = in ’) ! out 2 = out ’ 0

47 So is Equality Logic with UFs interesting? 1. It is expressible enough to state something interesting. 2. It is decidable and more efficiently solvable than richer logics, for example in which some functions are interpreted. 3. On the other, hand replacing functions with UF is an abstraction. 4. Models which rely on infinite-type variables are more naturally expressed in this logic in comparison with Propositional Logic.