Ofer Strichman, Technion 1 Decision Procedures in First Order Logic Part III – Decision Procedures for Equality Logic and Uninterpreted Functions
Technion2 Part I - Introduction Reminders - What is Logic Proofs by deduction Proofs by enumeration Decidability, Soundness and Completeness Some notes on Propositional Logic Deciding Propositional Logic SAT tools BDDs
Technion3 Part II – Introduction to Equality Logic and Uninterpreted Functions Introduction Definition, complexity Reducing Uninterpreted Functions to Equality Logic Using Uninterpreted Functions in proofs Simplifications Introduction to the decision procedures The framework: assumptions and Normal Forms General terms and notions Solving a conjunction of equalities Simplifications
Technion4 Part III – Decision Procedures for Equality Logic and Uninterpreted Functions Algorithm I – From Equality to Propositional Logic Adding transitivity constraints Making the graph chordal An improved procedure: consider polarity Algorithm II – Range-Allocation What is the small-model property? Finding a small adequate range (domain) to each variable Reducing to Propositional Logic
Technion5 We will first investigate methods that solve Equality Logic. Uninterpreted functions are eliminated with one of the reduction schemes. Our starting point: the E-Graph G E ( E ) Recall: G E ( E ) represents an abstraction of E: It represents ALL equality formulas with the same set of equality predicates as E Decision Procedures for Equality Logic
Technion6 From Equality to Propositional Logic Bryant & Velev 2000 E = x 1 = x 2 Æ x 2 = x 3 Æ x 1 x 3 enc = e 1 Æ e 2 Æ :e 3 Encode all edges with Boolean variables (note: for now, ignore polarity) This is an abstraction Transitivity of equality is lost! Must add transitivity constraints! e3e3 e2e2 e1e1
Technion7 From Equality to Propositional Logic E = x 1 = x 2 Æ x 2 = x 3 Æ x 1 x 3 enc = e 1 Æ e 2 Æ :e 3 For each cycle add a transitivity constraint trans = ( e 1 Æ e 2 ! e 3 ) Æ ( e 1 Æ e 3 ! e 2 ) Æ ( e 3 Æ e 2 ! e 1 ) Check: enc Æ trans e3e3 e2e2 e1e1
Technion8 From Equality to Propositional Logic There can be an exponential number of cycles, so let’s try to make it better. Thm: it is sufficient to constrain simple cycles only e1e1 e2e2 e3e3 e4e4 e5e5 e6e6 T TT TT F
Technion9 From Equality to Propositional Logic Still, there is an exponential number of simple cycles. Thm: It is sufficient to constrain chord-free simple cycles e1e1 e2e2 e3e3 e4e4 e5e5 T T T F T F
Technion10 Still, there can be an exponential number of chord- free simple cycles… Solution: make the graph ‘chordal’! From Equality to Propositional Logic ….
Technion11 From Equality to Propositional Logic Dfn: A graph is chordal iff every cycle of size 4 or more has a chord. How to make a graph chordal ? eliminate vertices one at a time, and connect their neighbors.
Technion12 From Equality to Propositional Logic Once the graph is chordal, we can constrain only the triangles. Note that this procedure adds not more than a polynomial # of edges, and results in a polynomial no. of constraints. T T T T F TT Contradiction!
Technion13 Improvement So far we did not consider the polarity of the edges. Claim: in the following graph trans = e 3 Æ e 2 ! e 1 is sufficient This is only true because of monotonicity of NNF e1e1 e2e2 e3e3
Technion14 Definitions Let C = ( e s, e 1,…, e n ) where e s is solid and e 1,…, e n are dashed be a simple (contradictory) cycle. Let be a formula over the Boolean variables encoding C We say that C is constrained in with respect to e s iff every assignment s.t. ( e s ) = F and ( e 1 ) = …= ( e n ) = T contradicts
Technion15 A theorem Let ’ trans constrain all simple contradictory cycles with respect to their solid edges. Thm: E is satisfiable iff enc Æ ’ trans is satisfiable. Proof strategy: Let ’ be a satisfying assignment to enc Æ ’ trans We will construct that satisfies enc Æ trans
Technion16 Definitions for the proof… A Violating Triangle under an assignment ’ This assignment violates trans but not necessarily ’ trans eFeF e T2 e T1 T T F Either dashed or solid
Technion17 More definitions for the proof… An edge e = ( v 1, v 2 ) is conducting under an assignment ’ iff there is a dashed path between v 1 and v 2 all assigned T under ’ We denote such an edge by E EFEF E T2 E T1 T T F T T v1v1 v2v2 Conducting under ’ v3v3 Observe: if two edges of a triangle are conducting under an assignment ’, then so is the third.
Technion18 Proof… This shape cannot be a violating triangle under ’ : eFeF E T2 E T1 F So either: Type 1: e T1 (or e T2, or both) is NOT conductive under ’, or Type 2: Not Type 1 and e F is dashed T T Solid Conducting under ’
Technion19 Constructing Type 1: e T1 is not conductive under ’ Assign ( e T1 ) = F Type 2: Otherwise, E F is dashed and conductive under ’ Assign ( e F ) = T eFeF E T2 e T1 F T T Solid, not conductive In all other cases = ’ EFEF E T2 E T1 F T T Dashed, conductive F T
Technion20 Constructing Starting from ’, repeat until convergence: ( e T1 ) := F in all Type 1 triangles ( e F ) := T in all Type 2 triangles Termination is guaranteed: we only flip assignments in one direction (solids to F and dashed to T) enc is still satisfied due to monotonicity of NNF All Type 1 and Type 2 triangles now satisfy trans by construction Left to prove: all contradictory cycles are still satisfied
Technion21 A supporting lemma Let 0, 1,…, n be the intermediate assignments in the reconstruction procedure, where 0 = ’ and n = Lemma: For every edge e, e is conductive in i, 0 < i ≤ n, iff it is conductive in i -1. Proof ( ) Type 1: not relevant (substituting T to F cannot make a path conductive). Type 2: i ( e ) = T and i -1 ( e ) = F only if e is conductive in step i -1. Proof ( ) Type 1: not relevant (applied only to solid edges, which do not effect conductivity). Type 2: making an edge T can only make more edges conductive.
Technion22 satisfies all contradictory cycles: proof 1. Falsely assume that a contradictory cycle ( e s, e i, e j ), where e s is solid, is assigned (F,T,T) under the constructed . 2. This contradicts ’. Hence, one or more of these assignments are a result of the reconstruction. ( e i ) = ( e j ) = T and they are dashed, hence they are conductive. Due to the lemma then they were conductive in ’ as well. 4. Conclusion: ’( e s ) = 1 ( ’( e s )=0 contradicts ’ trans ) 5. Therefore reconstruction applied Type 1 to e s. 6. Type 1 can only be applied to e s if either one of e i, e j is not conductive with respect to ’. Contradiction. QED
Technion23 Correctness of the improved procedure eded e1e1 e2e2 T T F T T F contradiction! cannot satisfy this cycle e2e2 e1e1 eses T F F T T T Dashed violating cycle Solid violating cycle
Technion24 Improved procedure How can we use the theorem without enumerating contradictory cycles ? Answer: Consider the chordal graph. Add constraints to triangles only if necessary to enforce transitivity of contradictory cycles How?... read the lecture notes.
Technion25 Part III – Decision Procedures for Equality Logic and Uninterpreted Functions Algorithm I – From Equality to Propositional Logic Adding transitivity constraints Making the graph chordal An improved procedure: consider polarity Algorithm II – Range-Allocation What is the small-model property? Finding a small adequate range (domain) to each variable Reducing to Propositional Logic
Technion26 Range allocation The small model property Range Allocation
Technion27 To a formula with uninterpreted functions Uninterpreted functions From a general formula:
Technion28 From a formula with uninterpreted functions: To a formula in the theory of equality Ackerman’s reduction
Technion29 The Small Model Property Equality Logic enjoys the Small Model Property This means that if a formula in this logic is satisfiable, then there is a finite, bounded in size, model that satisfies it. It gets better: in Equality Logic we can compute this bound, which suggests a decision procedure. What is this bound?
Technion30 The Small Model Property Claim: the range 1.. n is adequate, where n is the number of variables in Proof: Every satisfying assignment defines a partition of the variables Every assignment that results in the same partitioning also satisfies the formula The range 1..n allows all partitionings
Technion31 Complexity We need log n variables to encode the range 1… n For n variables we need n log n bits. This is already better than the worst-case O( n 2 ) bits required by the Boolean encoding method …
Technion32 Instead of giving the range [1..11], analyze connectivity: x1x1 x2x2 y1y1 y2y2 g1g1 g2g2 zu1u1 f1f1 f2f2 u2u2 x 1, y 1, x 2, y 2 :{0-1} u 1, f 1, f 2, u 2 : {0-3}g 1, g 2, z: {0-2} The state-space: from to ~10 5 Finite Instantiations revisited
Technion33 Or even better: x1x1 x2x2 y1y1 y2y2 g1g1 g2g2 zu1u1 f1f1 f2f2 u2u2 x 1, y 1, g 1, u 1 : {0} {0}{0}{0-1} An Upper-bound: State-space n! x 2, y 2, g 2, f 1 : {0-1} u 2 : {0-3} f 2, z: {0-2} The state-space: from ~10 5 to 576
Technion34 Choosing a minimal range for the integer variables 0. a,b,c,d,e : { 1 } ( 1 )(normal) 1.a,b,c,d,e : {1..5} (3125)(1..n) 2. a,b,c: {1..3}(connectivity d,e: {1..2} (108) analysis) 3. a: {1}, b:{1-2}, c: {1-3}(factorial d: {1}, e: {1-2} (12) reduction) E : :((a = b) Ç :(b = c)) !((d e))
Technion35 Before and after, in SMV
Technion36 The Range-Minimization Problem Given an Equality formula E, find in polynomial time a small domain D* sufficient to preserve its satisfiability In other words: find D* such that E is satisfiable under an infinite domain D ! E is satisfiable under the finite domain D*
Technion37 The strategy 1. Determine a range allocation R, mapping each variable x i E into a small set of integers, s.t. E is satisfiable iff it is satisfiable over some R -interpretation. 2. Encode each variable x i as an enumerated type over R ( x i ), and use a standard satisfiability checker as a decision procedure.
Technion38 What range is adequate ? Recall that a subgraph of an E-Graph G E ( E ) is unsatisfiable iff it contains a contradictory cycle. Dfn: A Range Allocation R is adequate for G E ( E ) if every satisfiable subgraph can be satisfied under R. Now we need an algorithm to find adequate ranges
Technion39 Examples: The price of a polynomial procedure: The predicates of E hold less information than E.
Technion40 x1x1 x2x2 y1y1 y2y2 g1g1 g2g2 zu1u1 f1f1 f2f2 u2u2 Building the E-Graph E : E = : Note: 1. Inconsistent subsets appear as contradictory cycles 2. Some of the vertices are mixed
Technion41 The Range-Allocation Algorithm A. Remove all solid edges not belonging to contradictory cycles. B. Add a single unique value to singleton vertices, and remove them from the graph. x1x1 x2x2 y1y1 y2y2 g1g1 g2g2 zu1u1 f1f1 f2f2 u2u2 {0}{0}{1}{1}{3}{3}{2}{2} Step I - pre-processing:
Technion42 Step II - Set construction: A. For each mixed vertex x i : 1. Add a unique value u i to R ( x i ) 2. Broadcast u i on G = 3. Remove x i from the graph B. Add a unique value to each remaining G = component g1g1 g2g2 z {4}{4} {4}{4} {4}{4} g1g1 z {4, } g1g1 g2g2 z {4}{4} 1.2.
Technion43 u1u1 f1f1 f2f2 u2u2 {6}{6}{6}{6}{6}{6} {6}{6} f1f1 f2f2 u2u2 {6,7}{6,7} {6,7}{6,7} {6,7}{6,7} u2u2 {6,7, } u1u1 f1f1 f2f2 u2u2 {6}{6}{6,7}{6,7} f1f1 {6,7, }
Technion44 x1x1 x2x2 y1y1 y2y2 g1g1 g2g2 zu1u1 f1f1 f2f2 u2u2 {3}{3}{2}{2} {4}{4} {4, } {6}{6}{6,7}{6,7} {6,7, } {1}{1} {0}{0} Is the allocated range adequate? We have to satisfy every consistent subset B : For all x B, assign the smallest value allocated in step A to a mixed vertex which is G = (B) connected to x. If there isn’t any, choose the value given in step B.
Technion45 Further optimizations The order in which mixed vertices are eliminated has a strong effect. Not all mixed vertices need to start from a unique value. An analysis that involves solving a coloring problem can help here… … (see lecture notes)
Technion46 x1x1 x2x2 y1y1 y2y2 g1g1 g2g2 zu1u1 f1f1 f2f2 u2u2 {3}{3}{2}{2} {4}{4} {4,5}{4,5} {4,5}{4,5} {6,7}{6,7} {6}{6}{6}{6}{6,8}{6,8} {1}{1} {0}{0} A state-space story 11 11! n1..ibasic ordercolor 4872? 576 connectivity
Technion47 Interlude… So far we solved UF in three steps: 1. Reduce UF to Equality Logic E, and 2. Reduce E to Propositional Logic formula enc Æ trans OR 2. Find a small domain to each variable. 3. Solve propositional formula Next, we improve the small-domain method by constructing smaller E-graphs.
Technion48 Smaller E-graphs So far we first reduced UF to E and only then constructed the E-graph. The Clique problem: n function instances in UF n -clique between f 1... f n, and a similar clique between their arguments in G E ( E ) New strategy: add to graph functional consistency constraints ‘as needed’
Technion49 Constructing smaller E-graphs Let flat ( UF ) be a formula derived from UF by replacing each UF instance F i with a new variable f i Example: UF : F 1 ( G 1 ( x 1 ) F 2 ( G 2 ( x 2 )) Æ x 1 = x 2 flat ( UF ): f 1 f 2 Æ x 1 = x 2
Technion50 Constructing smaller E-graphs Recall: to check the satisfiability of UF 1 : F 1 ( x 1 ) F 2 ( x 2 ) Æ (( x 1 = x 2 ) Ç true) We need to check, according to Bryant’s reduction: The following optimization only works with Bryant’s reduction E1:E1:
Technion51 Constructing smaller E-graphs Attempt #1: construct G E ( E ) according to flat ( UF ) Note - build G E ( E ) before Bryant’s reduction! UF 1 : F 1 ( x 1 ) F 2 ( x 2 ) Æ (( x 1 = x 2 ) Ç true) flat ( UF 1 ): f 1 f 2 Æ (( x 1 = x 2 ) Ç true) f1f1 f2f2 x2x2 x1x1 {1}{1} {2}{2} {0}{0}{0}{0}
Technion52 Constructing smaller E-graphs Does the single assignment we have: x 1 = 0, x 2 = 0, f 1 = 1, f 2 = 2 satisfy E1:E1:
Technion53 Constructing smaller E-graphs Does the single assignment we have: x 1 = 0, x 2 = 0, f 1 = 1, f 2 = 2 satisfy E1:E1:
Technion54 Constructing smaller E-graphs Does the single assignment we have: x 1 = 0, x 2 = 0, f 1 = 1, f 2 = 2 satisfy So what is missing ? Answer: the graph fails to represent the fact that, due to functional consistency implies x 1 x 2 unsatisfied! E1:E1:
Technion55 Constructing smaller E-graphs Suggestion: if there is a solid edge between f i and f j, add a solid edge between their arguments Now the assignment x 1 = 0, x 2 = 1, f 1 = 2, f 2 = 3 satisfies E 1 But is this enough ? f1f1 f2f2 x2x2 x1x1 {2}{2} {3}{3} {0}{0}{0,1}
Technion56 Constructing smaller E-graphs Consider: x 1 = 0, x 2 = 0, f 1 = 1, z = 1, f 2 = 2 does not satisfy E 2 So the suggested rule in not enough. So what is the rule ? f1f1 f2f2 {1}{1} {2}{2} x2x2 x1x1 {0}{0}{0}{0} z {1}{1}
Technion57 Constructing smaller E-graphs Rule 1: if f i * f j and x i =* x j add a solid edge between x i and x j x 1 = 0, x 2 = 1, f 1 = 2, z = 2, f 2 = 3 satisfies E 2 Anything else ? f1f1 f2f2 x2x2 x1x1 z {2}{2} {3}{3} {0}{0}{0,1} {2}{2}
Technion58 Constructing smaller E-graphs Now consider: for which the graph is the same: But there is no satisfying assignment here for E 3 ! So what is missing ? f1f1 f2f2 {2}{2} {3}{3} x2x2 x1x1 {0}{0}{0,1} z {2}{2}
Technion59 Constructing smaller E-graphs So what is missing ? x 1 = x 2 implies f 1 = f 2 But with Bryant’s reduction we are not supposed to worry about this: But… we still cannot satisfy E 3 from the current graph. So still, what is missing ? When x 1 = x 2 this value is not important
Technion60 Constructing smaller E-graphs Recall: If is assigned the value of f 1, we need to make sure f 1 can satisfy the constraints over We can do it in two ways: Either add an edge f 1 = f 2 (Range-Allocation will do the rest) Copy all constraints over to f 1.
Technion61 Constructing smaller E-graphs Recall: Both options satisfy E 3. So what is the rule ? f1f1 f2f2 x2x2 x1x1 z {2,3} {0}{0}{0,1} {2}{2} f1f1 f2f2 x2x2 x1x1 z {2,3} {4}{4} {0}{0} {0,1} {2}{2}
Technion62 Constructing smaller E-graphs Rule 2: For f i, f j, i < j, if x i =* x j do one of the following: Add equality edge ( f i, f j ) Copy all constraints over f j to f i, i.e. For every Equality Edge ( f j, w ) add equality edge ( f i, w ) For every Disequality Edge ( f j, w ) add Disequality edge ( f i, w ) Choose between the two options heuristically: typically adding less equality edges is better. Q: why is this not symmetric ?
Technion63 Constructing smaller E-graphs Consider According to Rule 1 we add a Disequality edge between x 1 and x 2 only if x 1 =* x 2 But here we need to allow x 1 x 2 nevertheless f1f1 f2f2 x2x2 x1x1
Technion64 Constructing smaller E-graphs Rule 3: if both u =* v and u * v do not hold, add a disequality path between u and v. These edges are ‘free’: they do not add anything to the allocated ranges. Do not add them; ensure diversity in Range- Allocation instead f1f1 f2f2 x2x2 x1x1
Technion65 Constructing smaller E-graphs 1. Built the E-Graph corresponding to flat E ( UF ) 2. Repeat until no edges are added: For every pair F i ( x i ), F j ( x j ) s.t. i < j 1. (Rule 1) if f i * f j and x i =* x j add a solid edge between x i and x j 2. (Rule 2) if x i =* x j either add a dashed edge between f i and f j or copy all constraints from f j to f i 3. (Rule 3) add free edges 4. Allocate adequate ranges for the graph 5. Solve E derived from Bryant’s reduction
Technion66 Small E-Graph: Example f1f1 f2f2 x1x1 x2x2 f3f3 f4f4 {0}{0} {1}{1} {1,2} {3}{3} {4}{4} {5}{5} State-space=2
Technion67 How would the E-graph look like otherwise? {5}{5} {0,4} {0}{0} {0,1} {0,1,2,3} {0,1,2} f1f1 f2f2 x1x1 x2x2 f3f3 f4f4 Originally, we first reduced UF to E. This added all functional consistency constraints a- priori State-space=48
Technion68 Bryant’s vs. Ackermann’s reduction Why only Bryant’s reduction works in this case? The short answer: Bryant’s: when the arguments are equal, it doesn’t matter if f 1 and f 2 are equal. Ackermann’s: giving unique values to f 1, f 2 makes the formula unsatisfiable when x 1 = x 2 ( x 1 = x 2 ! f 1 = f 2 ) Æ flat ( UF ) The long answer: see lecture notes