Ofer Strichman, Technion Deciding Combined Theories
Technion So far we know how to… Decide Equality Logic with Uninterpreted Functions: ( x 1 = x 2 ) Ç : ( f ( x 2 ) = x 3 ) Æ … Decide Disjunctive Linear arithmetic: 3 x x 2 ¸ 2 x 3 Æ x 2 · 4 x 4 … What about a combined formula ? ( x 2 ¸ x 1 ) Æ ( x 1 - x 3 ¸ x 2 ) Æ ( x 3 ¸ 0) Æ f ( f ( x 1 ) - f ( x 2 )) f ( x 3 )
Technion We also know how to… Decide bit-vector equations a[32] £ b[32] = b[32] £ a[32] But how shall we decide f (a[32], b[1]) = f (b[32], a[1]) Æ a[32] = b[32]
Technion More combination examples: Combining lists, arithmetic and Uninterpreted Functions: ( x 1 · x 2 ) Æ ( x 2 · x 1 + car ( cons (0, x 1 ))) Æ p ( h ( x 1 ) – h ( x 2 )) Æ :p (0) Combining Arrays and Arithmetic: x = store( v, i, e )[ j ] Æ y = v [ j ] Æ x > e Æ x > y
Technion Combining theories Approach #1: Reduce all theories to a common logic, if possible (e.g. Propositional Logic). All un-quantified theories we saw so far are in NP. We saw their direct translation to SAT (i.e. not through a Turing-machine). Approach #2: Combine decision procedures of the individual theories. How? we will learn the Nelson-Oppen method* * Greg Nelson and Derek Oppen, simplification by cooperating decision procedures, 1979
Technion Reminders: theories and signatures First order logic – Symbols (Boolean connectives and quantifiers over variables), Syntax (wff-s ). Axioms, inference rules. First order theories – Additional axioms and symbols characterizing the theory. The signature of a theory T holds the set of functions and predicates of the theory. “First order quantifier-free theories with equality” – the equality predicate must be part of the signature.
Technion The Theory-Combination problem Given theories T 1 and T 2 with signatures 1 and 2, the combined theory T 1 © T 2 has signature 1 [ 2 and the union of their axioms. Let be a 1 [ 2 formula. The problem: Does T 1 © T 2 ²
Technion The problem The Theory-Combination problem is undecidable (even when the individual theories are decidable). Under certain restrictions, it becomes decidable. We will assume the following restrictions: T and T are decidable, quantifier-free first-order theories with equality. Disjoint signatures (other than equality): Å = ; More restrictions to follow…
Technion The Nelson-Oppen method (1) Purification: validity-preserving transformation of the formula after-which sub-expressions from different theories are not mixed. 1. Replace an `alien’ sub-expression with a new auxiliary variable a 2. Constrain the formula with a = Transform x · f x … into x · a Æ a f x Arithmetic Uninterpreted Functions Pure expressions, shared variables
Technion The Nelson-Oppen method (2) After purification we are left with several sets of pure expressions F 1 … F n such that: F i belongs to some ‘pure’ theory which we can decide. Shared variables are allowed, i.e. it is possible that for some i, j, vars ( F i ) Å vars ( F j ) ;. is satisfiable $ F 1 Æ … Æ F n is satisfiable
Technion The Nelson-Oppen method* (3) 1. Purify into F 1 Æ … Æ F n. 2. If 9i. F i is unsatisfiable, return `unsatisfiable’. 3. If 9i, j. F i implies an equality not implied by F j, add it to F j and goto step Return `satisfiable’. * So far only for ‘non-convex’ theories – to be explained
Technion Example (1) ( x 1 · x 2 ) Æ ( x 2 · ( x 1 + car ( cons (0, x 1 )))) Æ p ( h ( x 1 ) – h ( x 2 )) Æ :p (0) Purification: ( x 1 · x 2 ) Æ ( x 2 · x 1 + a 1 ) Æ p ( y 2 ) Æ :p (0) Æ a 1 = car ( cons ( a 5, x 1 )) Æ a 2 = a 3 – a 4 Æ a 3 = h ( x 1 ) Æ a 4 = h ( x 2 ) Æ a 5 = 0
Technion Example (1), cont’d ArithmeticEUFLists x 1 · x 2 x 2 · x 1 + a 1 a 2 = a 3 – a 4 a 5 = 0 a 3 = h ( x 1 ) a 4 = h ( x 2 ) p ( a 2 ) :p ( a 5 ) a 1 = car ( cons ( a 5, x 1 )) a 1 = a 5 x 1 = x 2 a 1 = a 5 x 1 = x 2 a 3 = a 4 a 2 = a 5 False
Technion Example(2) ( x 2 ¸ x 1 ) Æ ( x 1 – x 3 ¸ x 2 ) Æ ( x 3 ¸ 0) Æ f ( f ( x 1 ) – f ( x 2 )) f ( x 3 ) Purification: ( x 2 ¸ x 1 ) Æ ( x 1 – x 3 ¸ x 2 ) Æ ( x 3 ¸ 0) Æ f (a 1 ) f ( x 3 ) Æ a 1 = a 2 – a 3 Æ a 2 = f ( x 1 ) Æ a 3 = f ( x 2 )
Technion Example (2) – cont’d ArithmeticEUF x 2 ¸ x 1 x 1 – x 3 ¸ x 2 x 3 ¸ 0 a 1 = a 2 – a 3 f (a 1 ) f ( x 3 ) a 2 = f ( x 1 ) a 3 = f ( x 2 ) x 3 = 0 x 1 = x 2 a 2 = a 3 a 1 = 0 False
Technion Wait, it’s not so simple… Consider: : 1 · x Æ x · 2 Æ p ( x ) Æ :p (1) Æ :p (2 ) x2Zx2Z Neither theories imply an equality, and both are satisfiable. But is unsatisfiable! Arithmetic over Z Uninterpreted predicates 1 · x x · 2 p ( x ) :p (1) :p (2)
Technion Some theories have it, some don’t Definition: A theory T is convex if for all conjunctions it holds that ! Ç i=1.. n x i = y i for some n > 1, ! x i = y i for some i 2 {1..n} where x i, y i are some T variables. Convex: Linear Arithmetic over R, EUF Non-convex: Almost anything else…
Technion Convexity: examples Linear arithmetic over R without ‘ £ ’ is convex : x 1 · 1 Æ x 1 ¸ 0 implies an infinite disjunction of equalities, : x 1 · 1 Æ x 1 ¸ 1 ! x 1 = 1 implies a singleton : x 1 · 1 Æ x 1 ¸ 2implies everything Linear arithmetic over Z is not convex : 1 · x 1 Æ x 1 · 2 Although ! ( x 1 = 1 Ç x 1 =2) It is not the case that ! x 1 = 1 Ç ! x 1 = 2
Technion So why is convexity important ? Recall: : 1 · x Æ x · 2 Æ p ( x ) Æ :p (1) Æ :p (2) x2Z Neither theories imply an equality, and both are satisfiable. Arithmetic over Z Uninterpreted predicates 1 · x x · 2 p ( x ) :p (1) :p (2)
Technion So why is convexity important ? (cont’d) But: 1 · x Æ x · 2 imply the disjunction x = 1 Ç x = 2 Since the theory is non-convex we cannot propagate either x =1 or x =2. We can only propagate the disjunction itself.
Technion So why is convexity important ? (cont’d) Propagate the disjunction and perform case-splitting. Arithmetic over Z Uninterpreted predicates 1 · x x · 2 p ( x ) :p (1) Æ:p (2) x = 1 Ç x = 2 h¢i Æ x = 1 False h¢i Æ x = 2 False Split!
Technion So why is convexity important? (cont’d) Conclusion: when the theory is non-convex, we must case-split. This adds a splitting step in Nelson-Oppen. As a result: Convex theories: Polynomial Non-Convex theories: Exponential
Technion The (full) Nelson-Oppen method 1. Purify into ’: F 1 Æ…Æ F n. 2. If 9i. F i is unsatisfiable, return `unsatisfiable’. 3. If 9i, j. F i implies an equality not implied by F j, add it to F j and goto step If 9i. F i ! ( x 1 = y 1 Ç…Ç x k = y k ) but 8j F i 9 x j = y j, apply recursively to ’ Æ x 1 = y 1, …, ’ Æ x k = y k. If any of them is satisfiable, return ‘satisfiable’. Otherwise return ‘unsatisfiable’. 5. Return `satisfiable’.
Technion Correctness is hard to prove… We will prove correctness for the case of combining two convex theories. The generalization is not hard. The proof is based on [NO79]. ( ) If N.O. returns ‘unsatisfiable’ in line 2, is unsatisfiable. (That’s the simple side) Proof: Purification in line 1 guarantees that is unsat iff F 1 ÆF 2 is unsat. In line 2 we return unsat only if F 1 or F 2 are unsat. ( ) If N.O. returns ‘satisfiable’, is satisfiable. (This will require several definition and lemmas)
Technion Proof ( ) Dfn: A residue of a formula , denoted Res( ), is the strongest Equality Logic formula implied by . Res( x = f ( a ) Æ y = f ( b )) is a = b ! x = y Res( x· y Æ y· x ) is x = y Lemma 1: For any formula F, there exists a formula Res( F )
Technion Proof ( ) Recall: the Logical symbols of a formula are those shared by all first-order theories. We consider `=‘ as a logical symbol. The Non-logical symbols are theory-specific. Dfn: The parameters of a formula , denoted param ( ), are the non-logical un-quantified symbol in . Craig’s Interpolation Lemma: if A and B are formulas such that A ! B, then there exists a formula H such that A ! H and H ! B, and param( H ) µ param( A ) Å param( B ).
Technion Proof ( ) Lemma 2: if F 1 and F 2 are formulas with disjoint signatures, Res( F 1 Æ F 2 ) $ (Res( F 1 ) Æ Res( F 2 )). Proof: ( ) F 1 ! Res( F 1 ), F 2 ! Res( F 2 ), F 1 Æ F 2 ! Res( F 1 ) Æ Res( F 2 ) Res( F 1 Æ F 2 ) ! Res( F 1 ) Æ Res( F 2 ) // * * The consequence (RHS) is Equality Logic, hence it is implied by the residue of the Antecedent (LHS).
Technion Proof of Lemma 2 ( ) F 1 Æ F 2 ! Res( F 1 Æ F 2 ) F 1 ! ( F 2 ! Res( F 1 Æ F 2 )) There exists an interpolant H such that ( F 1 ! H ) Æ ( H ! ( F 2 ! Res( F 1 Æ F 2 ))) Can be rewritten as (Res( F 1 ) ! H ) Æ ( H ! ( F 2 ! Res( F 1 Æ F 2 ))) because H is an Equality Logic formula, and hence e verything implied by F 1 is also implied by Res( F 1 ). (1) (2) (3) (4) Why is H an Equality Logic formula? because param(RES( F 1 Æ F 2 )) = {} //Equality Logic formula and param(F 1 ) Å param(F 2 ) = {}
Technion Proof of Lemma 2 ( ) Since Res( F 1 Æ F 2 ) is also an Equality Logic formula: (Res( F 1 ) ! H) Æ (H ! (Res(F 2 ) ! Res( F 1 Æ F 2 ))) which implies (Res( F 1 ) ! (Res( F 2 ) ! Res( F 1 Æ F 2 ))) and hence (Res( F 1 ) Æ Res( F 2 )) ! Res( F 1 Æ F 2 ) q.e.d (Lemma 2): Res( F 1 ) Æ Res( F 2 ) $ Res( F 1 Æ F 2 ) (5) (6) (7)
Technion Proof of lemma 2 ( ) So we have Res( F 1 ) ! (H ! ( F 2 ! (Res(F 2 ) ! Res( F 1 Æ F 2 )))) Res( F 1 ) ! (Res( F 2 ) ! Res( F 1 Æ F 2 )) Since the right hand side is Equalities, then everything implied by F 1 is also implied by Res( F 1 ). Hence, (Res( F 1 ) Æ Res( F 2 )) ! Res( F 1 Æ F 2 ) q.e.d (Lemma 2): Res( F 1 ) Æ Res( F 2 ) $ Res( F 1 Æ F 2 )
Technion Lemma 3 Lemma 3: Let F 1 and F 2 be satisfiable Equality Logic formulas s.t. V = vars( F 1 ) [ vars( F 2 ). 8x, y 2 V, ( F 1 ! x = y Æ F 2 ! x = y ) or ( F 1 9 x = y Æ F 2 9 x = y ) Then, F 1 Æ F 2 is satisfiable. Proof: Let S = the set of all equalities implied by both F 1 and F 2 T = the rest of the possible equalities in V. = an assignment s.t. 8eq 2 S ² eq, 8eq 2 T, 2 eq Claim: ² F 1 Æ F 2
Technion Proof of Lemma 3 Falsely assume that 2 F 1 Then, Æ eq 2 T : eq is what makes this formula unsat Why? because 1. F 1 itself is sat, and 2. Due to monotonicity of NNF, S cannot make it unsat Hence F 1 ! Ç eq 2 T eq If 9 eq 2 T. F 1 ! eq, then eq 2 S (contradiction) Otherwise, F 1 is non-convex (contradiction) q.e.d (Lemma 3)
Technion Proof ( ) Now suppose N.O. returns SAT although F 1 Æ F 2 is unsatisfiable. Res( F 1 Æ F 2 ) = false Hence, by Lemma 2, Res( F 1 ) Æ Res( F 2 ) = false
Technion Proof ( ) On the other hand, in step 4, where we return ‘SAT’, we know that F 1 and F 2 are separately satisfiable F 1 and F 2 imply exactly the same equalities. Thus, Res( F 1 ) and Res( F 2 ) are satisfiable and imply the same equalities. Hence, according to Lemma 3, Res( F 1 ) Æ Res( F 2 ) is also satisfiable, i.e. Res( F 1 ) Æ Res( F 2 ) false (contradiction). Q.E.D (N.O.)
Technion More problems… Definition: A -theory T is Stably-infinite if for every quantifier-free -formula is satisfiable, can be satisfied by an interpretation with an infinite domain. This is the opposite of the small-model-property. Specifically, this means that no theory with a finite domain is stably infinite.
Technion Problem: non-stably infinite theories Consider a theory T 1 : 1 : A function f, Axioms that only allow solutions with 2 elements. And a theory T 2 : 2 : A function g, Domain: N So this formula is unsatisfiable: f ( x 1 ) f ( x 2 ) Æ g ( x 1 ) g ( x 3 ) Æ g ( x 2 ) g ( x 3 ) Recall that the combined theory T 1 © T 2 has the union of the axioms. Hence the solution to any formula 2 T 1 © T 2 cannot have more than 2 elements.
Technion Problem: non-stably infinite theories f ( x 1 ) f ( x 2 ) Æ g ( x 1 ) g ( x 3 ) Æ g ( x 2 ) g ( x 3 ) T1T1 T2T2 f ( x 1 ) f ( x 2 ) g ( x 1 ) g ( x 3 ) g ( x 2 ) g ( x 3 ) No equalities to propagate: Satisfiable !
Technion Solution to non-stable infinite theories Nelson-Oppen method cannot be used. Recently a solution to this problem was suggested by Tinelli & Zarba [TZ05] Assuming all combined theories are stably-finite (i.e. has a small model property), it computes the upper bound on the minimal satisfying assignment, and propagates this information between the theories.
Technion Solution to non-stable infinite theories Nelson-Oppen method cannot be used. Recently a solution to this problem was suggested by Tinelli & Zarba [TZ05] Assume all combined theories are stably finite (i.e. have a small model property), and one has only finite models. The bound N i on the minimal satisfying assignment of formulas in theory T i is computable. Transfer N i between theories. If there is no solution to theory j with cardinality at least N_i (for all i), return unsatisfiable. …