1. Decision Procedures in Equality Logic

2. EUF: Equality with Uninterpreted Funcs
Decidable fragment of first order logic
Formulas (F ) Boolean Expressions
F, F1  F2, F1  F2 Boolean connectives
T1 = T2 Equation
P (T1, …, Tk) Predicate application
Terms (T ) Integer Expressions
ITE(F, T1, T2) If-then-else
Fun (T1, …, Tk) Function application
Functions (Fun) Integer  Integer
f Uninterpreted function symbol
Read, Write Memory operations
Predicates (P) Integer  Boolean
p Uninterpreted predicate symbol

3. EUF Decision Problem Circuit Representation of Formula Task
Truth Values
Dashed Lines
Model Control
Logical connectives
Equations
Integer Values
Solid lines
Model Data
Uninterpreted functions
If-Then-Else operation
Task
Determine whether formula F is universally valid
True for all interpretations of variables and function symbols
Often expressed as (un)satisfiability problem
Prove that formula F is not satisfiable = Ø Ú f T F Ù e 1 x d

4. Finite Model Property for EUF= Ø Ú f T F Ù e 1 x d
f (d0) d0 x0
f (x0)
Observation
Any formula has limited number of distinct expressions
Only property that matters is whether or not different terms are equal

5. Some History of EUF Decision Procedures
Ackermann, 1954
Quantifier-free decision problem can be decided based on finite instantiations
Burch & Dill, CAV ‘94
Automatic decision procedure
Davis-Putnam enumeration
Congruence closure to enforce functional consistency
Boolean approaches
Goel, et al, CAV ‘98
Attempted with BDDs, but didn’t get good results
Bryant, German, Velev, CAV ‘99
Could verify microprocessor using BDDs
Velev & Bryant, DAC 2001
Demonstrated power of modern SAT procedures

6. Basic assumptions and notations
Input formulas are in NNF
Input formulas are checked for satisfiability
Formula with Uninterpreted Functions: UF
Equality formula: E

7. Uninterpreted functions
From a general formula:
To a formula with uninterpreted functions

8. Ackerman’s reduction From a formula with uninterpreted functions:
To a formula in the theory of equality

9. First: conjunction of equalities
Input: A conjunction of equalities and disequalities
Define an equivalence class for each variable. For each equality x = y unite the equivalence classes of x and y. Repeat until convergence.
For each disequality u  v if u is in the same equivalence class as v return 'UNSAT'.
Return 'SAT'.
student’s project: implement it with set-union. See page 448 in the algorithms book (CLR)

10. Example x1 = x2 Æ x2 = x3 Æ x4=x5 Æ x5  x1
This is SAT – the only disequality is between different classes
Equivalence class
Equivalence class
Is there a disequality between members of the same class ?

11. Next: add Uninterpreted Functions
x1 = x2 Æ x2 = x3 Æ x4=x5 Æ x5  x1 Æ F(x1) F(x2)
F(x1)
x4,x5
x1,x2,x3
Equivalence class
Yes!
F(x2)
Equivalence class
Equivalence class
Equivalence class

12. Next: Compute the Congruence Closure
x1 = x2 Æ x2 = x3 Æ x4=x5 Æ x5  x1 Æ F(x1) F(x2)
x1,x2,x3
F(x1),F(x2)
x4,x5
Yes!
Equivalence class
Equivalence class
Now - is there a disequality between members of the same class ?
This is called the Congruence Closure

13. And now: consider a Boolean structure
x1 = x2 Ç (x2 = x3 Æ x4=x5 Æ x5  x1 Æ F(x1)  F(x2))
x1,x2
x2,x3
x4,x5
F(x1)
F(x2)
Equivalence class
Equivalence classes
Yes!
case 1
case 2
Syntactic case splitting: this is what we want to avoid!

14. Deciding Equality Logic with UFs
Input: Equality Logic formula UF
Convert UF to DNF
For each clause:
Define an equivalence class for each variable and each function instance.
For each equality x = y unite the equivalence classes of x and y. For each function symbol F, unite the classes of F(x) and F(y). Repeat until convergence.
If all disequalities are between terms from different equivalence classes, return 'SAT'.
Return 'UNSAT'.
Note that we ignore constants here for the time being.
if there are constants then the presence of two constants in the same class makes it unsat

15. Basic notions E: x = y Æ y = z Æ z  x
The Equality predicates: {x = y, y = z, z  x} which we can break to two sets: E= ={x = y, y = z}, E = {z  x}
The Equality Graph GE(E) = hV,E=,Ei (a.k.a “E-graph”) x y z

16. Basic notions 1E: x = y Æ y = z Æ z  x unsatisfiable
2E: x = y Æ y = z Ç z  x satisfiable
The graph GE(E) represents an abstraction of E
It ignores the Boolean structure of E x y z

17. Basic notions x y z
Dfn: a path made of E= edges is an Equality Path. we write x =*z.
Dfn: a path made of E= edges + exactly one edge from E is a Disequality Path. We write x *y.

18. Basic notions x y z
Dfn. A cycle with one disequality edge is a Contradictory Cycle.
In a Contradictory Cycle, for every two nodes x,y it holds that x =* y and x * y.

19. Basic notions x y z
Dfn: A subgraph is called satisfiable iff the conjunction of the predicates represented by its edges is satisfiable.
Thm: A subgraph is unsatisfiable iff it contains a Contradictory cycle

20. Basic notions
Thm: Every Contradictory Cycle is either simple or contains a simple contradictory cycle

21. Simplifications, again
Let S be the set of edges that are not part of any Contradictory Cycle
Thm: replacing all solid edges in S with False, and all dashed edges in S with True, preserves satisfiability

22. Simplification: example
True x4
False x2
True x1
(x1 = x2 Ç x1 = x4) Æ (x1  x3 Ç x2 = x3)
(x1 = x2 Ç True) Æ (x1  x3 Ç x2 = x3)
(:False Ç True) = True
Satisfiable!

23. Syntactic vs. Semantic splits
So far we saw how to handle disjunctions through syntactic case-splitting.
There are much better ways to do it than simply transforming it to DNF:
Semantic Tableaux,
SAT-based splitting,
others…
We will investigate some of these methods later in the course.

24. Syntactic vs. Semantic splits
Now we start looking at methods that split the search space instead. This is called semantic splitting.
SAT is a very good engine for performing semantic splitting, due to its ability to guide the search, prune the search-space etc.

25. Part III – Decision Procedures for Equality Logic and Uninterpreted Functions
Algorithm I – From Equality to Propositional Logic
Adding transitivity constraints
Making the graph chordal
An improved procedure: consider polarity
Algorithm II – Range-Allocation
What is the small-model property?
Finding a small adequate range (domain) to each variable
Reducing to Propositional Logic

26. Decision Procedures for Equality Logic
We will first investigate methods that solve Equality Logic. Uninterpreted functions are eliminated with one of the reduction schemes.
Our starting point: the E-Graph GE(E)
Recall: GE(E) represents an abstraction of E: It represents ALL equality formulas with the same set of equality predicates as E

27. From Equality to Propositional Logic Bryant & Velev 2000: the Sparse method
E = x1 = x2 Æ x2 = x3 Æ x1  x3
enc = e1 Æ e2 Æ :e3
Encode all edges with Boolean variables
(note: for now, ignore polarity)
This is an abstraction
Transitivity of equality is lost!
Must add transitivity constraints! e3 e2 e1

28. From Equality to Propositional Logic
E = x1 = x2 Æ x2 = x3 Æ x1  x3
enc = e1 Æ e2 Æ :e3
For each cycle add a transitivity constraint
trans = (e1 Æ e2 ! e3) Æ (e1 Æ e3 ! e2) Æ
(e3 Æ e2 ! e1)
Check: enc Æ trans e3 e2 e1
Fix spaces

29. From Equality to Propositional Logic
There can be an exponential number of cycles, so let’s try to make it better.
Thm: it is sufficient to constrain simple cycles only T T e2 e3 T e4 F e1 e6 e5 T T

30. From Equality to Propositional Logic
Still, there is an exponential number of simple cycles.
Thm [Bryant & Velev]: It is sufficient to constrain chord-free simple cycles T e2 T e5 T F e1 e3 F e4 T

31. From Equality to Propositional Logic
Still, there can be an exponential number of chord-free simple cycles…
Solution: make the graph ‘chordal’ by adding edges. ….
Improve drawing

32. From Equality to Propositional Logic
Dfn: A graph is chordal iff every cycle of size 4 or more has a chord (an edge not in the cycle but connects two points of the cycle).
How to make a graph chordal ? eliminate vertices one at a time, and connect their neighbors.

33. From Equality to Propositional Logic
Once the graph is chordal, we can constrain only the triangles.
Note that this procedure adds not more than a polynomial # of edges, and results in a polynomial no. of constraints. T T T T
Contradiction! T F T

34. Improvement So far we did not consider the polarity of the edges.
Claim: in the following graph trans = e3 Æ e2 ! e1 is sufficient
This is only true because of monotonicity of NNF e1 e2 e3
Consider to hide the next 5 slides

35. Definitions
Dfn: A contradictory Cycle C is constrained under T if T does not allow this assignment
C = F T

36. Main theorem If T R constrains all simple contradictory cycles, and
For every assignment S, S ² T S ! S ² T R
then E is satisfiable iff B Æ T R is satisfiable
From the Sparse method
The Equality Formula

37. RTC: Reduced Transitivity Constraint
Transitivity: 5 constraints
RTC: 0 constraints
Transitivity: 5 constraints
RTC: 1 constraint F T

38. Proof of the main theorem
() E is satisfiable  BÆT S is satisfiable  BÆT R is satisfiable
() Proof strategy:
Let R be a satisfying assignment to B Æ T R
We will construct S that satisfies B Æ T S
From this we will conclude that E is satisfiable
On the right: at least one of e1,e2 is non-conductive

39. Definitions for the proof…
A Violating cycle under an assignment R:
This assignment violates T S but not necessarily T R
Either dashed or solid F
eT1 T eF T
On the right: at least one of e1,e2 is non-conductive
eT2

40. More definitions for the proof…
An edge e = (vi,vj) is equal under an assignment  iff there is an equality path between vi and vj all assigned T under . Denote: v3 F T T v1 v2 T T

41. More definitions for the proof…
An edge e = (vi,vj) is disequal under an assignment  iff there is a disequality path between vi and vj in which the solid edge is the only one assigned false by . Denote: v3 F T T v1 v2 T T

42. Proof…
Observation 1: The combination is impossible if = R (recall: R ² T R)
Observation 2: if (v1,v3) is solid, then F T v1 v2 v3

43. ReConstructing S Type 1: It is not the case that Assign S (e23) = F
Otherwise it is not the case that
Assign  (e13) = T v3 v3 F F T
 T T
 F T T v1 v1 v2 v2
In all other cases S = R

44. ReConstructing S Starting from R, repeat until convergence:
(eT) := F in all Type 1 cycles
(eF) := T in all Type 2 cycles
All Type 1 and Type 2 triangles now satisfy T S
B is still satisfied (monotonicity of NNF)
Left to prove: all contradictory cycles are still satisfied

45. Proof…
Invariant: contradictory cycles are not violating throughout the reconstruction.
contradicts the precondition to make this assignment… v3 T F T
 F T v1 v2

46. Proof…
Invariant: contradictory cycles are not violating throughout the reconstruction.
contradicts the precondition to make this assignment… v3 T F F
 T T T v1 v2

47. Applying RTC
How can we use the theorem without enumerating contradictory cycles ?
Answer:
Consider the chordal graph.
Constrain triangles if they are part of a (simple) contradictory cycle
How?

48. The RTC algorithm
Bi-Connected Component (BCC) – maximal set of edges s.t. any two edges in the set lie on a common simple cycle.
Find all BCC-s with one solid edge.
Add solid chords from the graph, and auxiliary dashed chords to make the BCC chordal.

49. Is this constraint necessary ?
Should we constrain this triangle?
In which direction ?

50. Decomposing the graph
Focus on Bi-connected dashed components built on top of a solid edge
Includes all contradictory cycles involving this edge

51. Make the component chordal
Chordal-ity guarantees: every cycle contains a simplicial vertex, i.e. a vertex that its neighbors are connected.

52. The RTC algorithm Constraints cache: e2 Æ e3 ! e1 e4 Æ e7 ! e25 8 4 6 7 3 2 9 1 12 11

53. Constrains all contradictory cycles
Constraints cache:
e2 Æ e3 ! e1
e4 Æ e7 ! e2
e6Æ e3 ! e4 5 8 4 6 7 3 2 9 1 12 11

54. Results – random graphs
V=200, E=800, 16 random topologies

55. Random graphs (Satisfiable)

56. Decision Procedures for Equality Logic and Uninterpreted Functions
Algorithm I – From Equality to Propositional Logic
Adding transitivity constraints
Making the graph chordal
An improved procedure: consider polarity
Algorithm II – Range-Allocation
What is the small-model property?
Finding a small adequate range (domain) to each variable
Reducing to Propositional Logic    

57. Range allocation
The small model property
Range Allocation

58. Uninterpreted functions
From a general formula:
To a formula with uninterpreted functions

59. Ackerman’s reduction From a formula with uninterpreted functions:
To a formula in the theory of equality

60. The Small Model Property
Equality Logic enjoys the Small Model Property
This means that if a formula in this logic is satisfiable, then there is a finite, bounded in size, model that satisfies it.
It gets better: in Equality Logic we can compute this bound, which suggests a decision procedure.
What is this bound?

61. The Small Model Property
Claim: the range 1..n is adequate, where n is the number of variables in 
Proof:
Every satisfying assignment defines a partition of the variables
Every assignment that results in the same partitioning also satisfies the formula
The range 1..n allows all partitionings

62. Complexity We need log n variables to encode the range 1…n
For n variables we need n log n bits.
This is already better than the worst-case O(n2) bits required by the binary encoding method …

63. Finite Instantiations revisited
Instead of giving the range [1..11], analyze connectivity: x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z
x1, y1, x2, y2 :{0-1} u1, f1, f2, u2 : {0-3}
g1, g2, z: {0-2}
The state-space: from 1111 to ~105

64. The state-space: from ~105 to 576
Or even better:
{0}
{0-1} x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z
x1, y1, g1 , u1 : {0}
x2, y2 , g2 , f1 : {0-1}
f2, z : {0-2}
u2 : {0-3}
Add explanation here
The state-space: from ~105 to 576
An Upper-bound: State-space  n!

65. Choosing a minimal range for the integer variables
E: :((a = b) Ç :(b = c)) !((d  e))
0. a,b,c,d,e : {1} (1) (normal)
1. a,b,c,d,e : {1..5} (3125) (1..n)
2. a,b,c : {1..3} (connectivity
d,e : {1..2} (108) analysis)
3. a: {1}, b:{1-2}, c: {1-3} (factorial
d: {1}, e: {1-2} (12) reduction)

66. Before and after, in SMV

67. The Range-Minimization Problem
Given an Equality formula E, find in polynomial time a small domain D* sufficient to preserve its satisfiability
In other words: find D* such that
E is satisfiable under an infinite domain D !
E is satisfiable under the finite domain D*
Here we talk about domain D* and never return to it. Be consistent about domain/range

68. The strategy
1. Determine a range allocation R, mapping each variable xiE into a small set of integers, s.t. E is satisfiable iff it is satisfiable over some R-interpretation.
2. Encode each variable xi as an enumerated type over R(xi), and use a standard satisfiability checker as a decision procedure.
change to domain allocation ?

69. What range is adequate ?
Recall that a subgraph of an E-Graph GE(E) is unsatisfiable iff it contains a contradictory cycle.
Dfn: A Range Allocation R is adequate for GE(E) if every satisfiable subgraph can be satisfied under R.
Now we need an algorithm to find adequate ranges

70. The price of a polynomial procedure:
Examples:
change the fonts
The price of a polynomial procedure:
The predicates of E hold less information than E .

71. Building the E-Graph E : E= : x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z
Note: 1. Inconsistent subsets appear as contradictory cycles
2. Some of the vertices are mixed

72. The Range-Allocation Algorithm
Step I - pre-processing:
A. Remove all solid edges not belonging to contradictory cycles.
B. Add a single unique value to singleton vertices, and remove them from the graph.
{0}
{1}
{2}
{3} x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z

73. Step II - Set construction:
A. For each mixed vertex xi:
1. Add a unique value ui to R(xi)
2. Broadcast ui on G=
3. Remove xi from the graph
B. Add a unique value to each remaining G= component
{4}
{4}
{4, }
{4, }
{4} g1 g2 g1 g1 g2
Underline – a value given in stage A1
Overline – a value given in stage B z z z
{4, }
{4, }
{4} 1. 2.

74. {6}
{6}
{6}
{6} u1 f1 f2 u2 1.
{6,7}
{6,7}
{6,7} 2. f1 f2 u2
{6,7, }
{6,7, } 3. f1 u2
{6}
{6,7, }
{6,7}
{6,7, } u1 f1 f2 u2

75. Is the allocated range adequate?
We have to satisfy every consistent subset B :
For all xB, assign the smallest value allocated in step A to a mixed vertex which is G=(B) connected to x.
If there isn’t any, choose the value given in step B.
{0}
{1}
{2}
{3}
{4, }
{4} x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z
{6}
{6,7, }
{6,7}
{6,7, }
{4, }

76. Further optimizations
The order in which mixed vertices are eliminated has a strong effect.
Not all mixed vertices need to start from a unique value. An analysis that involves solving a coloring problem can help here…

77. A state-space story 1..n 1..i connectivity basic order color 1111 11!
576 72 48 16 ?
{0}
{1}
{2}
{3}
{4,5}
{4} x1 x2 y1 y2 g1 g2 u1 f1 f2 u2 z
{6,7}
{6}
{6}
{6,8}
{4,5}