The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv
Bibliography Nelson & Oppen Simplification by Cooperating Decision Procedures TOPLAS 1980 Tinelli & Zarba Combining non-stably infinite theories Journal of Automated Reasoning, 2006 Simplify: A Theorem Prover for Program Checking David Detlefs, Greg Nelson, James B. Saxe JACM 2005 Verifun: An Explicating Theorem Prover for Quantified Formulas Cormac Flanagan, Rajeev Joshi, James B. Saxe HPL Zap: Automated Theorem Proving for Software Analysis Thomas Ball, Shuvendu K. Lahiri, Madanlal Musuvathi MSR Technical Report 2005
The Simplify Theorem Prover Proof by Refutation Incomplete & Sometimes diverges Supports –Full first order logic Skolemization Incomplete treatment of universal quantifications –Special theories EUF Theory of arrays Relational Linear Algebra (The Simplex) –Incomplete treatment multiplication Partial orders –Combination of theories –New axioms Very successful: used as the engine in many checkers: –ESC/Modula3, ESC/Java, SLAM,...
Outline Search strategy (propositional) [Specialized theories] –EUF –Arrays –Simplex Combining theories Handling quantifiers Recent systems –Verifun –ZAP
Simplify search strategy Somewhat naive Top down guessing of truth values with backtracking Finds implied truth values “Lazy” conversion to CNF Use “Proxies” Scored clauses Goal oriented
Example a=b f(a) f(b) b=c f(a) f(c) Inconsistency detected by the EUF procedure so backtrack
Example a=b f(a) f(b) b=c f(a) f(c) Inconsistent with EUF Report UNSAT
Combining Decision Procedures Programming languages combine different features –Arithmetic –Data types –Arrays –… Is there a way to compose decision procedures of different theories? Given two decidable logics is there a way to combine the logics into a decidable logic?
Cooperating Decision Procedures Nelson & Oppen Quantifier free Proof be refutation Separate the conjunct into separate conjuncts A B such that –A and B use different theories –Only constants are shared If either A or B is UNSAT report UNSAT When A and B are SAT propagate equalities between A and B and repeat
Example Theories x, y: CAR(CONS(x, y)) = x x, y: CDR(CONS(x, y)) = y x: ATOM(x) CONS(CAR(x), CDR(x)) = x x, y: ATOM(CONS(x, y)) LIST x, y: x = y f (x) = f(y) EUF x: x+0 =0 x: x +-x = 0 0 1 x, y, z: (x+y)+z = x + (y+z) 0 1 x, y:x+y = y +x x: x x x, y: x y y x x, y: x y y x x=y x, y: x y y z x z x, y,z: x y x+z y+z R
A Simple Example xyxy y x+g 1 g 2 =g 3 -g 4 g 5 =0 x y y x + CAR(CONS(0, x)) P(h(x)-h(y)) P(0) P(g 2 )=true P(g 5 )=false g 3 =h(x) g 4 =h(y) g 1 =CAR(CONS(g 5, x))
Non-Convexity If one of the theories is UNSAT the original formulas is UNSAT (Soundness) But the original formula may be UNSAT and yet no single equality suffices to prove UNSAT Happens for theories which imply non-convex equalities T F c 1 = c 2 c 3 = c 4 without T F c 1 = c 2 or T F c 3 = c 4 Performs a case split
Example for Case Split SELECT(UPDATE(v, I, e), j) = x SELECT(v, j)=y x>e x>y
Equality Propagation Procedure 1.Assign conjunctions to F L and F F s.t., F F contains only F-literals F L contains only L-literals F L F F is satisfiable iff F is satisfiable 2.If either F L or F F is UNSAT report UNSAT 3.If either F L or F F entails equality not entailed by other add this equality and go to step 2 4.If either F L or F F entails u 1 =v 2 u 2 =v 2 … u k =v k without entailing any equality alone then apply the procedure recursively to the k-formulas F L F F v i = u i If any of these formulas is SAT return SAT 5.Return UNSAT
Notes Only equalities are propagated Requires that the theories can find all consequent equalities Completeness is non-obvious The original paper also performs simplification
Convexity A formula F is non-convex F entails u 1 =v 2 u 2 =v 2 … u k =v k without entailing any equality alone –Otherwise it is convex A theory is convex Convex theories –EUF –Relational linear algebra Non-convex theories –Theory of arrays –Theory of reals under multiplications xy =0 z=0 R x=z y=z –Theory of integers under + and
Hints about Completeness The residues of formula –The strongest Boolean combinations of equalities between constants entailed by the formula x=f(a) y=f(b)a=b x=y x+y-a-b>0 (x=a y=b) (x=b y=a) x=STORE(v, u, e)[j] i=j x=e x=STORE(v, u, e)[j] y=v[j] if i=j then x=e else x=y Lemma 4: If A and B are formulas whose only common parameters are constant symbols then RES(A B) = RES(A) RES(B)
The residues in the simple example xyxy y x+g 1 g 2 =g 3 -g 4 g 5 =0 g 1 =g 5 x=y g 5 =g 2 g 3 =g 4 x y y x + CAR(CONS(0, x)) P(h(x)-h(y)) P(0) P(g 2 )=true P(g 5 )=false g 3 =h(x) g 4 =h(y) g 2 g 5 x=y g 3 =g 4 g 1 =CAR(CONS(g 5, x)) g 1 =g 5
Handling Quantifiers The problem becomes undecidable Complete procedures exist and implemented (e.g., SPASS next week) Simplify employs incomplete heuristics –Instantiate universal quantifiers with relevant terms –Can be tuned by the user
Instantiating universal quantifiers Suppose that 8 x 1, …, x n. P is known to hold –For example, because it is an axiom –Or because it is added to the environment during a backtracking We want to find substitutions giving values to x 1, …,x n such that (P) will be useful in the proof
General idea in matching Pick a term t from P called a trigger (sometimes pattern) Instantiate P with a substitution if (t) is a term that the prover is likely to require information about Separately implemented for different theories Intuition: –Since P contains the term t, (P) will contain the term (t), and so it provides information about (t) –This is likely to be useful, since the prover wants information about (t)
Matching in the E-graph The Congruence Graph is called E-graph Match triggers into equivalence classes For every occurrence of the trigger in the E- graph assert the corresponding instance –Adds terms and equalities
Example Assume 8 x,y: car(cons(x,y)) = x Prove cons(a, b) = cons(c, d)) a=c First trigger “car(cons(x,y)” Second trigger “cons(x,y)”
Choosing a trigger Heuristically important Liberal (small) triggers –Too many terms –Sometimes infinite loops Conservative (large) triggers –May fail to prove the theorem The user can provide –Candidate triggers –Candidate untriggers
Triggers as sets of terms Sometimes single trigger is not enough s, t, x: member(x, s) subset(s, t) member(x,t ) Use sets of terms as triggers { member(x, s), subset(s, t)}
Matching in the E-graph (example) Assume 8 x:f(x) = x [trigger f(x)] 8 x:g(g(x) = x [trigger g(g(x))] Prove g(f(g(a))) = a
Matching Loops Repeated applications of matching Example x: P(f(x), f(g(x)) [Trigger f(x)] Can be sometimes avoided by: –Check if the body of the quantifier contains a larger instance of the term –Alternate matching and decisions –User input
Limitations of matching Matching loops Not goal oriented Limitations of the theories ( x: P(x+1)) P(1+a)
Simplify experience Handles large formulas Robust In many cases complete enough Fully automatic for simple program verification –Cleanness Incompleteness in programs –Deep properties –Shape of dynamically allocated structures But slow on Boolean combinations
Verifun : A Theorem Prover Using Lazy Proof Explication Rajeev Joshi Cormac Flanagan, Jim Saxe and Xinming Ou Key ideas: –use SAT solvers to find candidate truth assignments to atomic formulae – have theory modules produce compact “proofs” that are added to the SAT problem to reject all truth assignments containing the “same” inconsistency Requires –proof explicating theory modules Uses Simplify Theories extended with Explication and matching Implemented in Java (~10,500 lines) and in C (~800 lines)
Zap: Automated Theorem Proving for Software Analysis Thomas Ball, Shuvendu Lahiri, Madanlal Musuvati (MSR) Use a SAT algorithm for the search procedure Use Nelson&Oppen to combine theories Develop new decision procedures Use quantifier matching Add features for program analysis
Conclusion Handling specialized theories yields significant improvements –Efficiency –Termination –Predictability Combination procedures are useful But resolution based theorem provers can still br superior in several cases