1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University

2 Integrated decision procedures in Theorem-Provers Deciding a combination of theories is the key for automation in Theorem Provers: Boolean operators, Bit-vector, Sets, Linear-Arithmetic, Uninterpreted functions, More … f(f(x)-f(y)) != f(z) & y 10 Uninterpreted functions Linear Arithmetic Bit-Vector operators Normally, each theory is solved with its own decision procedure and the results are combined (Shostak, Nelson..).

3 Integrated decision procedures in Theorem-Provers All of these theories, except linear arithmetic, have known efficient direct reductions to propositional logic. Thus, reducing linear arithmetic to propositional logic will: 1. Enable integration of theories in the propositional logic level. 2. Potentially be faster than known techniques.

4 Linear Arithmetic and its sub-theories 2x –3y +5z < 0 5x + 2w  2 Some useful methods for solving a conjunction of linear arithmetic expressions: 1.Simplex, Elliptic curve 2.Variable Elimination Methods (Hodes, Fourier-Motzkin,..) 3.Shostak’s loop residues 4.Separation theory: Bellman / Pratt

5 A decision procedure for separation theory Separation predicates have the form x > y + c where x,y are real variables, and c is a constant Pratt [73] (/Bellman[57]): Given a set of conjuncted separation predicates  1. Construct the `inequality graph’ 2.  is satisfiable iff there is no cycle with non-negative accumulated weight  : ( x > z +3  z > y –1  y > x+1) x y z 3 1

6 Handling disjunctions through case splitting All previously mentioned algorithms handle disjunctions by splitting the formula. This can be thought of as a two stage process: 1.Convert formula to Disjunctive Normal Form (DNF) 2.Solve each clause separately, until satisfying one of them. (A common improvement: split ‘when needed’) Case splitting is frequently the bottleneck of the procedure

7 So what can be done against case-splitting ? Given a formula , this transformation can be done if  ’ s.t. | =   | =  ’, and  ’ is decidable under a finite domain. When is this possible?  enjoys the ‘Small model property’, or Tailor-made reduction Answer: Split the domain, not the formula.

8 SAT vs. infinite-state decision procedures With finite instantiation (e.g. SAT), we split the domain. Infinite state decision procedures split the formula. So what’s the big difference ?

9 SAT vs. infinite-state decision procedures SAT splits the domain. Infinite state decision procedures split the formula. So what’s the big difference ? 1. Pruning. 2. Learning. 3. Guidance (prioritizing internal steps) Three mechanisms, crucial for efficient decision making: SAT has a significant advantage in all three.

10 SAT vs. infinite-state decision procedures 1. Pruning. 2. Learning. 3. Guidance (prioritizing internal steps) Three mechanisms, crucial for efficient decision making: SAT has a significant advantage in all three.

11 SAT vs. infinite-state decision procedures (1/4) 1. Pruning SAT: each clause c prunes up to 2 |v|-|c| states. Others: ? (stops when finds a satisfiable clause) y x Backtrack Pruned!. (x  y). |v|=1000, |c| =2 Pruning states

12 SAT vs. infinite-state decision procedures (2/4) 2. Learning SAT: Partial assignments that lead to a conflict are recorded and hence not repeated. Others: (depends on decision procedure) - Adding proved sub-goals as antecedents to new sub-goals - …

13 SAT vs. infinite-state decision procedures (3/4) 3. Guidance (prioritizing internal steps) Guidance requires efficient estimation: Consider  1   2, where  1 is unsat and hard, and  2 is sat and easy. With proper guidance, a theorem prover should start from  2. - How hard it is to solve each sub-formula? - To what extent will it simplify the rest of the proof?

14 SAT vs. infinite-state decision procedures (4/4) 3. Guidance (cont’d) “..To what extent will it simplify the rest of the proof?” SAT: Guidance through decision heuristics (e.g. DLIS). Others: Expression ordering,... (x  y  z) (x  v) (~x  ~z) Estimating simplification by counting literals in each phase

15 Example: Equality Logic with Uninterpreted Functions (1/3) Equality Logic with Uninterpreted Functions: (Uninterpreted functions are reducible to equality logic. Thus, we can concentrate on equality logic) Traditional infinite-state decision procedure: Congruence Closure with case splitting.

16 Example: Equality Logic (2/3) Since 1998, several groups devised finite-state decision procedures for this theory: Goel et. al. (CAV’98) – Boolean encoding and BDDs Bryant et. al. (CAV’99) – Positive-equality + finite instantiation Pnueli et. al. (CAV’99) – Small domains instantiation Bryant et. al. (CAV’00) – Boolean encoding with explicit constraints

17 Example: Equality Logic (3/4) Goel et. al (CAV’98): Encode each equality i=j with a new Boolean variable e ij Construct BDD of encoded formula Search BDD for a consistent path leading to ‘1’. E.g. an assignment to three variables e xy,e yz, e xz is consistent iff e xy + e yz + e xz  2

18 Example: Equality Logic (3/3) Let (x=y, y=z, x=z) be the equality predicates in . x y z e xy e xz e yz 2. Impose transitivity on cycles: e xy + e yz + e xz  2 1. Construct the equality graph. The resulting formula is propositional  BDDs, SAT, etc. Bryant et. al. (CAV’00): Add transitivity constraints to the formula.

19 Example: Equality Logic (cont’d) The number of simple cycles can be exponential. Bryant et. al. Suggested to first make the graph chordal: e1e1 e2e2 e3e3 e4e4 ecec In a chordal graph, every assignment that violates transitivity, also violates transitivity of a triangle. Hence – it is sufficient to impose Transitivity over triangles.

20 This work 1.Separation predicates: 2.Separation predicates for integers: 3.Linear arithmetic: 4.Integer linear arithmetic: Extends the results of Bryant et.al. to a Boolean combination of: Done

21 Usability Separation predicates: “Most verification conditions involving inequalities are separation predicates” [Pratt, 1973]: Array bounds checks, tests on index variables, timing constraints, worst execution time analysis, etc. Linear arithmetic: All of the above + … + Linear programming, + Integer Linear programming.

22 Reducing separation predicates to propositional logic (1/6)  : f(x) > f(y+1)  : (x=y+1  f 1 =f 2 )  (f 1 >f 2 ) A. Normalize (example):  : (x>y+1  y>x-1  (f 1  f 2  f 2  f 1 ))  (f 1 >f 2 ) 1. Uninterpreted functions  equality logic x  y+1 f1=f2f1=f2 Now  has no negations and only the ‘>’ and ‘  ’ predicate symbols. 2. Normal form

23 Reducing separation predicates to propositional logic (2/6) 1. Reduce Uninterpreted Functions to equalities. 2. Rewrite equalities as conjunction of inequalities, e.g. rewrite x=y+c as x  y+c  x  y+c. 3. Transform  to Negation Normal Form, and eliminate negations by reversing inequality signs. 4. Rewrite ‘ ’ and ‘  ’, e.g. rewrite x x – c. A. Normalize (procedure)

24 Reducing separation predicates to propositional logic (2/6)  : z y-1)  : x > z +3  (z > y –1  y  x+1) A. Normalizing example:

25 x y z 3 1 Reducing separation predicates to propositional logic (3/6)  : ( x > z +3  (z > y –1  y  x+1))  ’: Transitivity constraints   ( )) ( B. Encode + construct graph (example): x y z -3 1 Separation graph: and its dual:

26 2. Substitute each predicate in  of the form x > y+c with a Boolean variable, and add an edge (x,y,c,>) to E 1. Construct a graph G(V,E), where V = variables in . Each edge e  E is a 4-tuple (from, to, weight, {>,  }) Reducing separation predicates to propositional logic (4/6) B. Encode predicates and construct a graph (procedure) 3. Substitute each predicate in  of the form x  y+c with a Boolean variable, and add an edge (x,y,c,  ) to E

27 x y z 3 1 Reducing separation predicates to propositional logic (5/6)  ’: Transitivity constraints   ( )) ( C. Add transitivity constraints for each simple cycle (example):  ’: (((( ))    ( ( x y z -3 1

28 c1c1 c3c3 c2c2 1. If there are mixed edges: If total weight is not negative: 2. If all edges are ‘  ’: If all edges are ‘>’:... If total weight is not positive: C. Add transitivity constraints for each cycle C Reducing separation predicates to propositional logic (6/6)

29 Compact representation of constraints (1/4)..... In most cases - yes. e.g. If the diamonds are ‘balanced’ ( c 1 + c 2 = c 3 + c 4 )  O(n) constraints..... c1c1 c2c2 c 1+ c 2 n diamonds  2 n simple cycles. Can we do better than that ? c3c3 c4c4

30 Compact representation of constraints (2/4) Chordal graphs: each cycle of size greater than 3, has a ‘chord’. In the equality predicates case: Let C be a cycle in G Let  be an assignment that violates C’s transitivity (  |  C) Theorem: there exists a cycle c of size 3 in G s.t.  |  c Conclusion: add transitivity constraints only for triangles. Now only a polynomial no. of constraints is required. G:G:

31 Compact representation of constraints (3/4) Our case is more complicated: G is directed G is a multi-graph Edges have weights There are two types of edges G is chordal iff: Every directed cycle of size greater than 3 has a chord which ‘accumulates’ the weight of the path between its ends. c1c1 c2c2 c3c3 c4c4 c 1+ c 2 c5c5

32 Compact representation of constraints (4/4) Complexity of making the graph chordal: 1. If the diamonds are ‘balanced’  O(n) constraints 3. Worst case  O(2 n )..... c1c1 c1c1 c1c1 c1c1 c2c2 c2c2 c2c2 c2c2 2. If there are uniform weights c 1 and c 2, c 1  c 2 on top and bottom paths  O(n 2 ) constraints

33 Extension to integer variables (1/2) Given  with integer separation predicates, derive  R : Declare all variables as real. Replace x > y + c, x  y + c where c is not an integer, with x  y +  c  For each predicate x > y + c, add a constraint x > y + c  x  y + c + 1 Theorem:  is satisfiable iff  R is satisfiable

34 Extension to integer variables (1/2) Given  with integer separation predicates, derive  R : Declare all variables as real. Theorem:  is satisfiable iff  R is satisfiable (c is an integer) For each predicate x > y + c, add a constraint x > y + c  x  y + c + 1

35 Extension to integer variables (2/2)  : x,y: int; x > y + 1  x < y + 2 Example:  R : x,y: real; x > y + 1  y > x - 2  (x > y + 1  x  y + 2)  (y > x - 2  y  x – 1)

36 Experimental results (1/3)..... n diamonds Each diamond has 2d edges Top and bottom paths in each diamond are disjuncted. There are 2 n conjuncted cycles. By adjusting the weights, we ensured that there is a single satisfying assignment. d=2

37 Experimental results (2/3) To be continued...

38 Experimental results (3/3) To be continued... The procedure has recently been integrated into SyMP and Euclid. We currently experiment with real software verification problems.

39 Experimental results (1/2)..... n diamonds Each diamond has 2d edges Top and bottom paths in each diamond are disjuncted. There are 2 n conjuncted cycles. By adjusting the weights, we ensured that there is a single satisfying assignment. d=2

40 Next: Linear Arithmetic (1/2) x > y + c x y c c1c1 c3c3 c2c2 Adding constraints according to accumulated cycle weight: The test c 1 + c 2 + c 3 > 0 results in a yes/no answer Separation predicates:

41 Next: Linear Arithmetic (2/2) x > y + 2 z + c x y 2 z + c  3 3  2 2 x y The test  1 +  2 +  3 > 0 results in a new predicate! Shostak[81]: ‘Deciding linear inequalities by computing loop residues’ - Determine a fixed variable order - Represent each predicate by its two ‘highest’ variables This procedure guarantees termination. Linear Arithmetic: