Nikolaj Bjørner Joe Hendrix Microsoft Research & Corporation

Linear Functional Fixed-Point Logic (FFP) Complexity results for FFP: FFP(Propositional) – PSPACE/NP FFP(Linear/Equalities) – PSPACE By a reduction to LTL FFP(Non-linear)– NEXPTIME hard/undecidable Integrating FFP with an SMT solver (Z3)

TT TT FF FF FF TT head curr data(curr) := true; curr := f(curr) data(curr) := true; curr := f(curr) curr = head TT TT TT TT TT TT head curr curr := head FF FF FF FF FF FF head curr Loop invariant: Every data element between head and curr is set to true FF FF FF FF FF TT head curr

Loop invariant : Every data element between head and curr is set to true TT TT FF FF FF TT head curr  x  [head  curr]. data(x) f invariant(head) where invariant(x) = x = curr  (data(x)  invariant(f(x))) LFP Inv, x. [ x = curr  (data(x)  Inv(f(x))) ] (head)  Inv x [ x = curr  (data(x)  Inv(f(x))) ] (head) What are practical ways of reasoning with such fixed-points?

uvuvuvuv uvuvuvuv f w [Nelson 80] uuvvww f ff f f f

uuvvww f ff ff uvuvuvuv uvuvuvuv btwn f (u,v,w) [Rakamarić07+] btwn f (u,v,w) [Rakamarić07+] f w [Nelson 80] f

uuvv f ff f uvuvuvuv uvuvuvuv btwn f (u,v,w) [Rakamarić07+] btwn f (u,v,w) [Rakamarić07+] wf. Reachability [Lahiri, Qadeer 06] wf. Reachability [Lahiri, Qadeer 06] f w [Nelson 80] B(u) = v   BSet(u)  BSet(f(u))  BSet(f(f(u))) BSet(v) R(u,v)  uuvv f ff f  BSet(f(u))  BSet(f(f(u))) From u reach v and v is the first element satisfying BSet(v) From u reach v and everything after u and up to v satisfies  BSet

uvuvuvuv uvuvuvuv btwn f (u,v,w) [Rakamarić07+] btwn f (u,v,w) [Rakamarić07+] wf. Reachability [Lahiri, Qadeer 06] wf. Reachability [Lahiri, Qadeer 06] f w [Nelson 80] Interpreted sets & Bounded quant. [Lahiri, Qadeer 08] Interpreted sets & Bounded quant. [Lahiri, Qadeer 08] Use first-order axioms to encode quantifier-free theory of reachability. [LQ08] rely on SMT solver Z3 for instantiating axioms using triggers. Required quantifier support by solver is not so off-the-shelf. Use first-order axioms to encode quantifier-free theory of reachability. [LQ08] rely on SMT solver Z3 for instantiating axioms using triggers. Required quantifier support by solver is not so off-the-shelf.

uvuvuvuv uvuvuvuv btwn f (u,v,w) [Rakamarić07+] btwn f (u,v,w) [Rakamarić07+] wf. Reachability [Lahiri, Qadeer 06] wf. Reachability [Lahiri, Qadeer 06] f w [Nelson 80] Interpreted sets & Bounded quant. [Lahiri, Qadeer 08] Interpreted sets & Bounded quant. [Lahiri, Qadeer 08] FFP(Prop) Lin. FFP(Eq) FFP(Non-linear) Reachable Patterns [Yorsh+ 06] Reachable Patterns [Yorsh+ 06] wSnS (finite trees) wSnS (finite trees) wS1S (fin. Acyclic lists) wS1S (fin. Acyclic lists) S1S (inf. Acyclic lists) S1S (inf. Acyclic lists) SnS (inf. Trees) SnS (inf. Trees) wSO(f) (finite linked lists) wSO(f) (finite linked lists) SO(f) (infinite trees) SO(f) (infinite trees)

[Immerman+ 04] First-order transitive closure [Møller+ 05] Pointer assertion logic [Lev-Ami+ 05] Acyclic transtive closure [McPeak+ 05] Linked lists [Ranise+ 05] Linked lists [Balaban+ 07] Single parent heaps [Bouajjani ] Reachability + arithmetic + T Apologies for relevant omissions.

Existing decision procedures for fixed-points use -Encoding with first-order axioms -Rely on first-order instantiation engine for completeness -Reduction to automata -Powerful combination with some theories, but flexible combination approach and “low-order” complexity results unclear to us TT TT FF FF FF TT head curr

Theories Core Theory SAT solver Bit-Vectors Arithmetic Data-types E- matching Arrays Formula Rewriting Simplification Specialized theory solvers interoperate by exchanging learned equalities and clauses with a common congruence closure core Core  Theory: Equalities, asserted literals Theory  Core: Equalities, asserted literals, new clauses TT TT FF FF FF TT head curr

Loop invariant : Every data element between head and curr is set to true TT TT FF FF FF TT head curr  x  [head  curr]. data(x) f invariant(head) where invariant(x) = x = curr  (data(x)  invariant(f(x))) LFP Inv, x. [ x = curr  (data(x)  Inv(f(x))) ] (head)  Inv x [ x = curr  (data(x)  Inv(f(x))) ] (head)

 [data(x) Until f,x x = curr] (head) Is there a convenient propositional-like abstraction of fixed-points? Our Approach: establish and use a connection with Linear Time Temporal Logic for linear functional fixed-points  Inv x [ x = curr  (data(x)  Inv(f(x))) ] (head) A Until B B  [A   (A Until B)]  X. B  [A   X]  TT TT FF FF FF TT head curr

 [A(x) Until f,x B(x)] (a)    R x [B(x)  (A(x)  R(f(x)))] (a)  [  f,x A(x)] (a)   [true Until f,x A(x)] (a) [ f,x A(x)] (a)   [  f,x  A(x)] (a)

uvuvuvuv uvuvuvuv btwn f (u,v,w) [Rakamanic07+] btwn f (u,v,w) [Rakamanic07+] wf. Reachability [Lahiri, Qadeer 06] wf. Reachability [Lahiri, Qadeer 06] f w [Nelson 80] Interpreted sets & Bounded quant. [Lahiri, Qadeer 08] Interpreted sets & Bounded quant. [Lahiri, Qadeer 08] FFP(Prop) Lin. FFP(Eq) FFP(Non-linear) Reachable Patterns [Yorsh+ 06] Reachable Patterns [Yorsh+ 06] wSnS (finite trees) wSnS (finite trees) wS1S (fin. Acyclic lists) wS1S (fin. Acyclic lists) S1S (inf. Acyclic lists) S1S (inf. Acyclic lists) SnS (inf. Trees) SnS (inf. Trees) wSO(f) (finite linked lists) wSO(f) (finite linked lists) SO(f) (infinite trees) SO(f) (infinite trees)

uvuvuvuv uvuvuvuv btwn f (u,v,w) [Rakamanic07+] btwn f (u,v,w) [Rakamanic07+] wf. Reachability [Lahiri, Qadeer 06] wf. Reachability [Lahiri, Qadeer 06] f w [Nelson 80] Interpreted sets & Bounded quant. [Lahiri, Qadeer 08] Interpreted sets & Bounded quant. [Lahiri, Qadeer 08] FFP(Prop) Lin. FFP(Eq) FFP(Non-linear) Reachable Patterns [Yorsh+ 06] Reachable Patterns [Yorsh+ 06] Propositional Linear Time Temporal Logic ?

[  f,x P(f(x))](a)  [ f,x P(x)](b)  [Q(x) Until f,x P(f(x))](b) - Distinguished function f - Unary predicate symbols, P, Q, R - At most one bound variable in scope at any time [Q(x) Until f,x [P(f(x)) Until f,y R(y)]](b)

From LTL to FFP(PL)  P   f,x f,x P(f(x))(anchor) From FFP(PL) to LTL  f,x P(f(x))(a)  f,x P(x)(b)   P a  P b Complexity(FFP(PL)) = Complexity(pLTL)

f u  v uuvv f ff f f [True Until f,x x = v](u)   f,x (x = v)(u) [True Until f,x x = v](u)   f,x (x = v)(u)

f u  v w uuvvww f ff f f f [x  w Until f,x x = v](u)

btwn f (u,v,w) [x  w Until f,x x = v](u)   f,x (x = w)(v) uuvvww f ff ff f

uuvv f ff f B(u) = v   BSet(u)  BSet(f(u))  BSet(f(f(u))) BSet(v) R(u,v)  uuvv f ff f  BSet(f(u))  BSet(f(f(u))) [  BSet(f(x)) Until f,x x = v](u) [  BSet(x) Until f,x x = v](u)  BSet(v)

[ f,x x  c](b)  [  g,x P(g(x))](a)  [  f,x P(f(x))](a)  [x  fff(x) Until f,x x = a](b)  [  g,x g(g(x)) = x](c) - Distinguished functions f, g - As long as f and g are separate - Unary predicate symbols, P, Q, R - At most one bound variable in scope at any time

wp(f(u) := v, [A Until f,x B](w)) f’ := x. if x = u then v else f(x) =[A Until f,x B](w)[f  f’] A’ := A[f  f’], B’ := B[f  f’] =[A’ Until f’,x B’](w) = …. = [A’’ Until f,x B’’](w) A’’ := A’  u  x B’’ := B’  (u = x  [(u  x  A’) Until f,x B’](v))

From LTL to FFP(E)  P   f,x f,x P(f(x))(anchor) From FFP(E) to LTL? [  f,x x = c   f,x P(x)](a)   a and b reach c [  f,x x = c   f,x P(x)](b) after that there is a common P state.

From LTL to FFP(E)  P   f,x f,x P(f(x))(anchor) From FFP(E) to LTL [  f,x (T(x)  U(x))  f(x) = b](a)  [  f,x (T(x)  U(x))  f(x) = c](b)  [  f,x (T(x)  U(x))  f(x) = a](c) TT bb TT ccTT aa UU UU UU Obstacle: f is a function.- The Temporal Next  operator does not encode functionality by itself.

 Tableau (  ) F – acc. cond Tableau (  ) F – acc. cond  PTL  PTL* Normalize f Erasure Functionality axioms Functionality axioms

 Tableau (  ) F – acc. cond Tableau (  ) F – acc. cond  PTL  PTL* Normalize f Erasure Functionality axioms Proposition: Validity for FFP(E) is PSPACE complete  PTL*  Size of  PTL* is quadratic in  Pure pLTL formula

FFP(NL) – more than one variable in nested bound context [ f,x [ f,y f(x)  y](x)] (a) NEXPTIME hard  FFP(NL)  MSO(f) 2FFP(E) – allow nested use of functions f g: [ f,x g(f(x)) = f(g(x))] (a) 2FFP(E) is undecidable aa f ff ff f f aa f f f f f f f ff f f f g g g g g g g g g g g g

Most SMT solvers use a DPLL(T) architecture SAT Equality Core Theories Literal assignments Equalities Literal assignments Equalities Literal assignments Lemmas (Conflict Clauses)

Property: FFP(E) is stably infinite If FFP(E) formula  has a model, it has a model of size N, it has a model of size N+1 Theorem: Let T be stably infinite, decidable, and have disjoint signature from f, g, Then quantifier-free formulas over FFP(E) + T are decidable

pLTL Equality Core Theories Trace  of Literal assignments Equalities Literal assignments Equalities Literal assignments Invariants Safety properties

Linear Functional Fixed-Point Logic (FFP) Complexity results for FFP: FFP(Propositional) – PSPACE/NP FFP(Linear/Equalities) – PSPACE By a reduction to LTL FFP(Non-linear)– NEXPTIME hard/undecidable Integrating FFP with the SMT solver

We established a sandwich link between Linear Functional Fixed-Point Logic and Propositional Linear Time Temporal Logic More sandwiched links plausible, but open. From DPLL(T) to SMC(T) We show how to integrate a solver based on LTL with an SMT Solver A prototype using CUDD and shows signs of life