Ofer Strichman, Technion 1 Decision Procedures in First Order Logic Part II – Equality Logic and Uninterpreted Functions
Technion2 Part I - Introduction Reminders - What is Logic Proofs by deduction Proofs by enumeration Decidability, Soundness and Completeness Some notes on Propositional Logic Deciding Propositional Logic SAT tools BDDs
Technion3 Part II – Introduction to Equality Logic and Uninterpreted Functions Introduction Definition, complexity Reducing Uninterpreted Functions to Equality Logic Using Uninterpreted Functions in proofs Simplifications Introduction to the decision procedures The framework: assumptions and Normal Forms General terms and notions Solving a conjunction of equalities Simplifications
Technion4 Equality Logic A Boolean combination of Equalities and Propositions x 1 =x 2 Æ ( x 2 = x 3 Ç : (( x 1 = x 3 ) Æ b Æ x 1 = 2)) We will always push negations inside (NNF): x 1 =x 2 Æ ( x 2 = x 3 Ç (( x 1 x 3 ) Ç :b Ç x 1 2)) Note: the set of Boolean variables is always separate from the set of term variables
Technion5 Equality Logic: the grammar formula : formula Ç formula | : formula | atom atom : term-variable = term-variable | term-variable = constant | Boolean-variable term-variables are defined over some (possible infinite) domain. The constants are from the same domain.
Technion6 Expressiveness and complexity Allows more natural description of systems, although technically it is as expressible as Propositional Logic. Clearly NP-hard. In fact, it is in NP, and hence NP-complete, for reasons we shall see later.
Technion7 Expressiveness and complexity Q1: Let L 1 and L 2 be two logics whose satisfiability problem is decidable and in the same complexity class. Is the satisfiability problem of an L 1 formula reducible to a satisfiability problem of an L 2 formula? Q2: Let L 1 and L 2 be two logics whose satisfiability problems are reducible to one another. Are L 1 and L 2 in the same complexity class ?
Technion8 Equality logic with uninterpreted functions formula : formula Ç formula | : formula | atom atom : term = term | Boolean-variable term: term-variable | function ( list of terms ) term-variables are defined over some (possible infinite) domain. Note that constants are functions with empty list of terms.
Technion9 Uninterpreted Functions Every function is a mapping from a domain to a range. Example: the ‘+’ function over the naturals N is a mapping from to N.
Technion10 Uninterpreted Functions Now: suppose we replace ‘ + ’ with an uninterpreted Binary function f ( h 1 st arg i, h 2 nd arg i ) For example: x 1 + x 2 = x 3 +x 4 is replaced with We lost the ‘semantics’ of ‘+’. In other words, f can represent any binary function. Loosing the semantics means that f is not restricted by any axioms. But f is still a function!
Technion11 Uninterpreted Functions (UF’s) The most general axiom for any function is functional consistency. Example: if x = y, then f ( x ) = f ( y ) for any function f. Functional consistency axiom scheme: x 1 = x 1 ’ Æ … Æ x n = x n ’ ! f ( x 1,…, x n ) = f ( x 1 ’,…, x n ’) Sometimes, functional consistency is all that is needed for the proof.
Technion12 Example: Circuit Transformations Circuits consist of combinational gates and latches (registers) The combinational gates can be modeled using functions The latches can be modeled with variables R1R1 I Latch Combi- national part
Technion13 Example: Circuit Transformations Some function, say I >> 5 Some other function, say L1 & … Some bitvector Input Some condition on L2
Technion14 Example: Circuit Transformations A pipeline processes data in stages Data is processed in parallel – as in an assembly line Formal Model: Stage 1 Stage 3 Stage 2
Technion15 Example: Circuit Transformations The maximum clock frequency depends on the longest path between two latches Note that the output of g is used as input to k We want to speed up the design by postponing k to the third stage Also note that the circuit only uses one of L 3 or L 4, never both We can remove one of the latches
Technion16 Example: Circuit Transformations = ?
Technion17 Example: Circuit Transformations Equivalence in this case holds regardless of the actual functions Conclusion: can be decided using Equality Logic and Uninterpreted Functions
Technion18 For each function in UF : Number function instances (from the inside out) Replace each function instance with a new variable Condition UF with a functional consistency constraint for every pair of instances of the same function. UFs Equality Logic: Ackermann’s reduction F 2 ( F 1 ( x )) = 0 f 2 = 0 F ( ), G ( ),… (( x = f 1 ) f 1 = f 2 ) f 2 =0) Given a formula UF with uninterpreted functions f1f1 f2f2
Technion19 Ackermann’s reduction : Example Given the formula ( x 1 x 2 ) Ç ( F ( x 1 ) = F ( x 2 )) Ç ( F ( x 1 ) F ( x 3 )) which we want to check for validity, we first number the function instances: ( x 1 x 2 ) Ç ( F 1 ( x 1 ) = F 2 ( x 2 )) Ç ( F 1 ( x 1 ) F 3 ( x 3 ))
Technion20 Ackermann’s reduction : Example ( x 1 x 2 ) Ç ( F 1 ( x 1 ) = F 2 ( x 2 )) Ç ( F 1 ( x 1 ) F 3 ( x 3 )) Replace each function with a new variable, ( x 1 x 2 ) Ç ( f 1 = f 2 ) Ç ( f 1 f 3 ) Condition with Functional Consistency constraints:
Technion21 Given a formula UF with UFs For each function in UF : Number function instances (from the inside out) Replace a function instance F i with an expression case x 1 = x i : f 1 x 2 = x i : f 2 x i-1 =x i : f i-1 true : f i UFs Equality Logic: Bryant’s reduction F 1 ( x 1 ) = F 2 ( x 2 ) F ( ), G ( ),… case x 1 = x 2 : f 1 true : f 2 f 1 =
Technion22 Bryant’s reduction: Example x 1 = x 2 F 1 ( G 1 ( x 1 )) = F 2 ( G 2 ( x 2 )) Replace each function with an expression where
Technion23 Using UFs in proofs Uninterpreted functions gives us the ability to represent an abstract view of functions. It over-approximates the concrete system = 1 is a contradiction But F (1,1) = 1 is satisfiable ! Conclusion: unless we are careful, we can give wrong answers and this way lose soundness.
Technion24 Using UFs in proofs In general a sound and incomplete method is more useful than unsound and complete. A sound but incomplete algorithm: Given a formula with uninterpreted functions UF : Transform it to Equality Logic formula E If E is unsatisfiable return Unsatisfiable Else return ‘Don’t know’
Technion25 Using UFs in proofs Question #1: is this useful ? Question #2: can it be made complete in some cases ? When the abstract view is sufficient for the proof, it enables (or simplifies) a mechanical proof. So when is the abstract view sufficient ?
Technion26 Using UFs in proofs (cont’d) (common) Proving equivalence between: Two versions of a hardware design (one with and one without a pipeline) Source and target of a compiler (“Translation Validation”) (rare) Proving properties that do not rely on the exact functionality of some of the functions.
Technion27 Example: Translation Validation Assume the source program has the statement z = ( x 1 + y 1 ) ( x 2 + y 2 ) which the compiler turned into: u 1 = x 1 + y 1 ; u 2 = x 2 + y 2 ; z = u 1 u 2 ; We need to prove that: ( u 1 = x 1 + y 1 u 2 = x 2 + y 2 z = u 1 u 2 ) z = ( x 1 + y 1 ) ( x 2 + y 2 )
Technion28 Example (cont’d) ( u 1 = x 1 + y 1 u 2 = x 2 + y 2 z = u 1 u 2 ) z = ( x 1 + y 1 ) ( x 2 + y 2 ) ( u 1 = F 1 ( x 1, y 1 ) u 2 = F 2 ( x 2, y 2 ) z = G 1 ( u 1, u 2 )) z = G 2 ( F 1 ( x 1, y 1 ), F 2 ( x 2, y 2 )) Claim: is valid We will prove this by reducing it to an Equality Logic formula UF :
Technion29 Uninterpreted Functions: usability Good: each function on the left can be mapped to a function on the right with equivalent arguments Bad: almost all other cases Example: LeftRight x + x 2 x
Technion30 Uninterpreted Functions: usability This is easy to prove: x1 = y1 x2 = y2 x1 + y1 = x2 + y2x1 = y1 x2 = y2 x1 + y1 = x2 + y2 This requires knowledge on commutativity: x1 = y2 x2 = y1 x1 + y1 = x2 + y2x1 = y2 x2 = y1 x1 + y1 = x2 + y2 easy fix: ((x 1 = x 2 y 1 = y 2 ) ( x 1 = y 2 x 2 = y 1 )) f 1 = f 2 What about other cases ? use Rewriting rules
Technion31 Example: equivalence of C programs (1/4) These two functions return the same value regardless if it is ‘*’ or any other function. Conclusion: we can prove equivalence by replacing ‘*’ with an Uninterpreted Function Power3 (int in ) { out = in ; for ( i =0; i < 2; i ++) out = out * in ; return out ; } Power3 _ new (int in ) { out = ( in * in )* in ; return out ; }
Technion32 Example: equivalence of C programs (1/4) But first… we need to know how to write programs as equations. We will learn one out of several options, namely Static Single Assignment for Bounded programs. Power3 (int in ) { out = in ; for ( i =0; i < 2; i ++) out = out * in ; return out ; } Power3 _ new (int in ) { out = ( in * in )* in ; return out ; }
Technion33 From programs to equations Static Single Assignment (SSA) form Ma ze???
Technion34 Static Single Assignment form In this case we can replace with a guard: y 3 Ã x 2 < 3 ? y 1 : y 2 Problem: What do we do with loops ?
Technion35 SSA for bounded programs For each loop i in a given program, let k i be a bound on its iteration count. Unroll the program according to the bounds. We are left with statements and conditions.
Technion36 SSA for bounded programs : x = 0; while (x < y) { x++; z = z + y; } x = 0; z = z * 2; Let k 1 = 2 … x 0 = 0 guard 0 = x 0 < y 0 x 1 = guard 0 ? x 0 + 1: x 0 z 1 = guard 0 ? z 0 + y 0 : z 0 guard 1 = x 1 < y 0 x 2 = guard 1 ? x 1 + 1: x 1 z 2 = guard 1 ? z 1 + y 0 : z 1 x 4 = 0 z 3 = z 2 * 2
Technion37 Example: equivalence of C programs (2/4) Power3 (int in ) { out = in ; for ( i =0; i < 2; i ++) out = out * in ; return out ; } Power3 _ new (int in ) { out = ( in * in )* in ; return out ; } out 0 = in Æ out 1 = out 0 * in Æ out 2 = out 1 * in out’ 0 = ( in’ * in’ ) * in’ Prove that both functions return the same value ( out 2 = out’ 0 ) given that in = in ’ Static Single Assignment (SSA) form:
Technion38 Example: equivalence of C programs (3/4) out 0 = in Æ out 1 = out 0 * in Æ out 2 = out 1 * in out’ 0 = ( in’ * in’ ) * in’ With Uninterpreted Functions: out 0 = in Æ out 1 = F 1 ( out 0, in ) Æ out 2 = F 2 ( out 1, in ) out’ 0 = F 4 ( F 3 ( in’, in’ ), in’ ) Static Single Assignment (SSA) form:
Technion39 Example: equivalence of C programs (4/4) With Uninterpreted Functions: out 0 = in Æ out 1 = F 1 ( out 0, in ) Æ out 2 = F 2 ( out 1, in ) out’ 0 = F 4 ( F 3 ( in’, in’ ), in’ ) E a : out 0 = in Æ out 1 = f 1 Æ out 2 = f 2 E b : out’ 0 = f 4 Ackermann’s reduction: The Verification Condition (“the proof obligation”) (( out 0 = out 1 Æ in = in ) ! f 1 = f 2 ) Æ (( out 0 = in ’ Æ in = in ’) ! f 1 = f 3 ) Æ (( out 0 = f 3 Æ in = in ’) ! f 1 = f 4 ) Æ (( out 1 = in ’ Æ in = in ’) ! f 2 = f 3 ) Æ (( out 1 = f 3 Æ in = in ’) ! f 2 = f 4 ) Æ (( in ’ = f 3 Æ in ’ = in ’) ! f 3 = f 4 ) Æ ( in = in ’) Æ E a Æ E b ! out 2 = out ’ 0
Technion40 Uninterpreted Functions: simplifications Let n be the number of function instances of F () Both reduction schemes require O( n 2 ) comparisons This can be the bottleneck of the verification effort Solution: try to guess the pairing of functions Still sound: wrong guess can only make a valid formula invalid
Technion41 UFs: simplifications (1) Given that x 1 = x 1 ’, x 2 = x 2 ’, x 3 = x 3 ’, prove ² o 1 = o 2 o 1 = ( x 1 + ( a ¢ x 2 )) a = x 3 + 5Left f1 f2f1 f2 o 2 = ( x 1 ’ + ( b ¢ x 2 ’)) b = x 3 ’ + 5Right f3f4f3f4 4 function instances 6 comparisons
Technion42 UFs: simplifications (2) o 1 = ( x 1 + ( a ¢ x 2 )) a = x 3 + 5Left f1 f2f1 f2 o 2 = ( x 1 ’ + ( b ¢ x 2 ’)) b = x 3 ’ + 5Right f3f4f3f4 Guess: validity of equivalence does not rely on f 1 = f 2 or on f 3 = f 4 Conclusion: only enforce functional consistency of pairs (Left,Right)
Technion43 UFs: simplifications (3) Down to 4 comparisons… (from n ( n -1)/2 to n 2 /4) Another Guess: validity of equivalence only depends on f 1 = f 3 and f 2 = f 4 Pattern matching can be useful here... o 1 = ( x 1 + ( a ¢ x 2 )) a = x 3 + 5Left f 1 f 2 o 2 = ( x 1 ’ + ( b ¢ x 2 ’)) b = x 3 ’ + 5Right f 3 f 4
Technion44 UFs: simplifications (4) + ¢ in f1, f3f1, f3 + 5 f2, f4f2, f4 Match according to patterns (‘signatures’): Down to 2 comparisons… o 1 = ( x 1 + ( a ¢ x 2 )) a = x 3 + 5Left f 1 f 2 o 2 = ( x 1 ’ + ( b ¢ x 2 ’)) b = x 3 ’ + 5Right f 3 f 4
Technion45 UFs: simplifications (5) f1, f3f1, f3 Propagate through intermediate variables: + in ¢ o 1 = ( x 1 + ( a ¢ x 2 )) a = x 3 + 5Left f 1 f 2 o 2 = ( x 1 ’ + ( b ¢ x 2 ’)) b = x 3 ’ + 5Right f 3 f 4 var in ¢ + 5
Technion46 Same example map F 1 to F 3 out 0 = in Æ out 1 = out 0 * in Æ out 2 = out 1 * in out’ 0 = ( in’ * in’ ) * in’ With Uninterpreted Functions: out 0 = in Æ out 1 = F 1 ( out 0, in ) Æ out 2 = F 2 ( out 1, in ) out’ 0 = F 4 ( F 3 ( in’, in’ ), in’ ) Static Single Assignment (SSA) form: F in F F map F 2 to F 4
Technion47 Same example, smaller Verification Condition With Uninterpreted Functions: out 0 = in Æ out 1 = F 1 ( out 0, in ) Æ out 2 = F 2 ( out 1, in ) out’ 0 = F 4 ( F 3 ( in’, in’ ), in’ ) E a : out 0 = in Æ out 1 = f 1 Æ out 2 = f 2 E b : out’ 0 = f 4 Ackermann’s reduction: The Verification Condition has shrunk: (( out 0 = in ’ Æ in = in ’) ! f 1 = f 3 ) Æ (( out 1 = f 3 Æ in = in ’) ! f 2 = f 4 ) Æ ( in = in ’) Æ E a Æ E b ! out 2 = out ’ 0
Technion48 now with Bryant’s reduction: With Uninterpreted Functions: out 0 = in Æ out 1 = F 1 ( out 0, in ) Æ out 2 = F 2 ( out 1, in ) out’ 0 = F 4 ( F 3 ( in’, in’ ), in’ ) E a : out 0 = in Æ out 1 = f 1 Æ out 2 = f 2 E b : out’ 0 = case case in ’= out o Æ in ’= in : f 1 true: f 3 =out 1 Æ in’=in :: f 2 true: f 4 Bryant’s reduction: The Verification Condition (“the proof obligation”) Prove validity of: E a Æ E b Æ in = in ’) ! out 2 = out ’ 0
Technion49 So is Equality Logic with UFs interesting? 1. It is expressible enough to state something interesting. 2. It is semi-decidable and more efficiently solvable than richer logics, for example in which some functions are interpreted. 3. Models which rely on infinite-type variables are more naturally expressed in this logic in comparison with Propositional Logic.
Technion50 Part II – Introduction to Equality Logic and Uninterpreted Functions Introduction Definition, complexity Reducing Uninterpreted Functions to Equality Logic Using Uninterpreted Functions in proofs Simplifications Introduction to the decision procedures The framework: assumptions and Normal Forms General terms and notions Solving a conjunction of equalities Simplifications
Technion51 Basic assumptions and notations Input formulas are in NNF Input formulas are checked for satisfiability Formula with Uninterpreted Functions: UF Equality formula: E
Technion52 First: conjunction of equalities Input: A conjunction of equalities and disequalities 1. Define an equivalence class for each variable. For each equality x = y unite the equivalence classes of x and y. (use a an algorithm for uniting disjoint sets) 2. For each disequality u v if u is in the same equivalence class as v return 'UNSAT'. 3. Return 'SAT'.
Technion53 Example x 1 = x 2 Æ x 2 = x 3 Æ x 4 = x 5 Æ x 5 x 1 x1,x2,x3x1,x2,x3 x4,x5x4,x5 Equivalence class Is there a disequality between members of the same class ?
Technion54 Next: add Uninterpreted Functions x 1 = x 2 Æ x 2 = x 3 Æ x 4 = x 5 Æ x 5 x 1 Æ F ( x 1 ) F ( x 2 ) x1,x2,x3x1,x2,x3 x4,x5x4,x5 Equivalence class F(x1)F(x1) F(x2)F(x2)
Technion55 Next: Compute the Congruence Closure x 1 = x 2 Æ x 2 = x 3 Æ x 4 = x 5 Æ x 5 x 1 Æ F ( x 1 ) F ( x 2 ) x1,x2,x3x1,x2,x3 x4,x5x4,x5 Equivalence class Now - is there a disequality between members of the same class ? This is called the Congruence Closure F ( x 1 ), F ( x 2 )
Technion56 And now: consider a Boolean structure x 1 = x 2 Ç ( x 2 = x 3 Æ x 4 = x 5 Æ x 5 x 1 Æ F ( x 1 ) F ( x 2 )) x4,x5x4,x5 Equivalence class x2,x3x2,x3 case 1case 2 Syntactic case splitting: this is what we want to avoid! x1,x2x1,x2 Equivalence class
Technion57 Deciding Equality Logic with UFs Input: Equality Logic formula UF Convert UF to DNF For each clause: Define an equivalence class for each variable and each function instance. For each equality x = y unite the equivalence classes of x and y. For each function symbol F, unite the classes of F ( x ) and F ( y ). If all disequalities are between terms from different equivalence classes, and no two constants are in the same class, return 'SAT'. Return 'UNSAT'.
Technion58 Basic notions E : x = y Æ y = z Æ z x The Equality predicates: { x = y, y = z, z x } which we can break to two sets: E = ={ x = y, y = z }, E = { z x } The Equality Graph G E ( E ) = hV, E =, E i (a.k.a “E-graph”) x y z
Technion59 Basic notions E : x = y Æ y = z Æ z x unsatisfiable 2 E : x = y Æ y = z Ç z x satisfiable The graph G E ( E ) represents an abstraction of E It ignores the Boolean structure of E x y z
Technion60 Basic notions Equality Path: a path in E = we write x =* z Disequality Path: a path in E = with exactly one edge from E . We write x * y x y z
Technion61 Basic notions Contradictory Cycle: two nodes x and y, s.t. x= * y and x * y form a contradictory cycle Dfn: A subgraph is called satisfiable iff the conjunction of the predicates represented by its edges is satisfiable. Thm: A subgraph is unsatisfiable iff it contains a Contradictory cycle x y z
Technion62 Basic notions Thm: Every contradictory cycle is either simple or contains a simple contradictory cycle
Technion63 Simplifications, again Let S be the set of edges that are not part of any contradictory cycle Thm: replacing all solid edges in S with False, and all dashed edges in S with True, preserves satisfiability
Technion64 Simplification: example x1x1 x2x2 x3x3 x4x4 (x 1 = x 2 Ç x 1 x 4 ) Æ (x 1 x 3 Ç x 2 = x 3 ) (x 1 = x 2 Ç True) Æ (x 1 x 3 Ç x 2 = x 3 ) ( : False Ç True) = True Satisfiable! True False
Technion65 Syntactic vs. Semantic splits So far we saw how to handle disjunctions through syntactic case-splitting. There are much better ways to do it than simply transforming it to DNF: Semantic Tableaux, SAT- based splitting, and others. We will investigate some of these methods later in the course.
Technion66 Now we start looking at methods that split the search space instead. This is called semantic splitting. SAT is a very good engine for performing semantic splitting, due to its ability to guide the search, prune the search-space etc. Syntactic vs. Semantic splits