Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv."— Presentation transcript:

1 The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv

2 Bibliography Nelson & Oppen Simplification by Cooperating Decision Procedures TOPLAS 1980 Tinelli & Zarba Combining non-stably infinite theories Journal of Automated Reasoning, 2006 Simplify: A Theorem Prover for Program Checking David Detlefs, Greg Nelson, James B. Saxe JACM 2005 Verifun: An Explicating Theorem Prover for Quantified Formulas Cormac Flanagan, Rajeev Joshi, James B. Saxe HPL-2004-199 Zap: Automated Theorem Proving for Software Analysis Thomas Ball, Shuvendu K. Lahiri, Madanlal Musuvathi MSR Technical Report 2005

3 The Simplify Theorem Prover Proof by Refutation Incomplete & Sometimes diverges Supports –Full first order logic Skolemization Incomplete treatment of universal quantifications –Special theories EUF Theory of arrays Relational Linear Algebra (The Simplex) –Incomplete treatment multiplication Partial orders –Combination of theories –New axioms Very successful: used as the engine in many checkers: –ESC/Modula3, ESC/Java, SLAM,...

4 Outline Search strategy (propositional) [Specialized theories] –EUF –Arrays –Simplex Combining theories Handling quantifiers Recent systems –Verifun –ZAP

5 Simplify search strategy Somewhat naive Top down guessing of truth values with backtracking Finds implied truth values “Lazy” conversion to CNF Use “Proxies” Scored clauses Goal oriented

6 Example  a=b f(a)  f(b) b=c f(a)  f(c)  Inconsistency detected by the EUF procedure so backtrack

7 Example  a=b f(a)  f(b) b=c f(a)  f(c)  Inconsistent with EUF Report UNSAT

8 Combining Decision Procedures Programming languages combine different features –Arithmetic –Data types –Arrays –… Is there a way to compose decision procedures of different theories? Given two decidable logics is there a way to combine the logics into a decidable logic?

9 Cooperating Decision Procedures Nelson & Oppen Quantifier free Proof be refutation Separate the conjunct into separate conjuncts A  B such that –A and B use different theories –Only constants are shared If either A or B is UNSAT report UNSAT When A and B are SAT propagate equalities between A and B and repeat

10 Example Theories  x, y: CAR(CONS(x, y)) = x  x, y: CDR(CONS(x, y)) = y  x:  ATOM(x)  CONS(CAR(x), CDR(x)) = x  x, y:  ATOM(CONS(x, y)) LIST  x, y: x = y  f (x) = f(y) EUF  x: x+0 =0  x: x +-x = 0 0  1  x, y, z: (x+y)+z = x + (y+z) 0  1  x, y:x+y = y +x  x: x  x  x, y: x  y  y  x  x, y: x  y  y  x  x=y  x, y: x  y  y  z  x  z  x, y,z: x  y  x+z  y+z R

11 A Simple Example xyxy y  x+g 1 g 2 =g 3 -g 4 g 5 =0 x  y  y  x + CAR(CONS(0, x))  P(h(x)-h(y))  P(0) P(g 2 )=true P(g 5 )=false g 3 =h(x) g 4 =h(y) g 1 =CAR(CONS(g 5, x))

12 Non-Convexity If one of the theories is UNSAT the original formulas is UNSAT (Soundness) But the original formula may be UNSAT and yet no single equality suffices to prove UNSAT Happens for theories which imply non-convex equalities T  F  c 1 = c 2  c 3 = c 4 without T  F  c 1 = c 2 or T  F  c 3 = c 4 Performs a case split

13 Example for Case Split SELECT(UPDATE(v, I, e), j) = x  SELECT(v, j)=y  x>e  x>y

14 Equality Propagation Procedure 1.Assign conjunctions to F L and F F s.t., F F contains only F-literals F L contains only L-literals F L  F F is satisfiable iff F is satisfiable 2.If either F L or F F is UNSAT report UNSAT 3.If either F L or F F entails equality not entailed by other add this equality and go to step 2 4.If either F L or F F entails u 1 =v 2  u 2 =v 2  … u k =v k without entailing any equality alone then apply the procedure recursively to the k-formulas F L  F F  v i = u i If any of these formulas is SAT return SAT 5.Return UNSAT

15 Notes Only equalities are propagated Requires that the theories can find all consequent equalities Completeness is non-obvious The original paper also performs simplification

16 Convexity A formula F is non-convex F entails u 1 =v 2  u 2 =v 2  … u k =v k without entailing any equality alone –Otherwise it is convex A theory is convex Convex theories –EUF –Relational linear algebra Non-convex theories –Theory of arrays –Theory of reals under multiplications xy =0  z=0  R x=z  y=z –Theory of integers under + and 

17 Hints about Completeness The residues of formula –The strongest Boolean combinations of equalities between constants entailed by the formula x=f(a)  y=f(b)a=b  x=y x+y-a-b>0  (x=a  y=b)   (x=b  y=a) x=STORE(v, u, e)[j] i=j  x=e x=STORE(v, u, e)[j]  y=v[j] if i=j then x=e else x=y Lemma 4: If A and B are formulas whose only common parameters are constant symbols then RES(A  B) = RES(A)  RES(B)

18 The residues in the simple example xyxy y  x+g 1 g 2 =g 3 -g 4 g 5 =0 g 1 =g 5  x=y  g 5 =g 2  g 3 =g 4 x  y  y  x + CAR(CONS(0, x))  P(h(x)-h(y))  P(0) P(g 2 )=true P(g 5 )=false g 3 =h(x) g 4 =h(y) g 2  g 5  x=y  g 3 =g 4 g 1 =CAR(CONS(g 5, x)) g 1 =g 5

19 Handling Quantifiers The problem becomes undecidable Complete procedures exist and implemented (e.g., SPASS next week) Simplify employs incomplete heuristics –Instantiate universal quantifiers with relevant terms –Can be tuned by the user

20 Instantiating universal quantifiers Suppose that 8 x 1, …, x n. P is known to hold –For example, because it is an axiom –Or because it is added to the environment during a backtracking We want to find substitutions  giving values to x 1, …,x n such that  (P) will be useful in the proof

21 General idea in matching Pick a term t from P called a trigger (sometimes pattern) Instantiate P with a substitution  if  (t) is a term that the prover is likely to require information about Separately implemented for different theories Intuition: –Since P contains the term t,  (P) will contain the term  (t), and so it provides information about  (t) –This is likely to be useful, since the prover wants information about  (t)

22 Matching in the E-graph The Congruence Graph is called E-graph Match triggers into equivalence classes For every occurrence of the trigger in the E- graph assert the corresponding instance –Adds terms and equalities

23 Example Assume 8 x,y: car(cons(x,y)) = x Prove cons(a, b) = cons(c, d))  a=c First trigger “car(cons(x,y)” Second trigger “cons(x,y)”

24 Choosing a trigger Heuristically important Liberal (small) triggers –Too many terms –Sometimes infinite loops Conservative (large) triggers –May fail to prove the theorem The user can provide –Candidate triggers –Candidate untriggers

25 Triggers as sets of terms Sometimes single trigger is not enough  s, t, x: member(x, s)  subset(s, t)  member(x,t ) Use sets of terms as triggers { member(x, s), subset(s, t)}

26 Matching in the E-graph (example) Assume 8 x:f(x) = x [trigger f(x)] 8 x:g(g(x) = x [trigger g(g(x))] Prove g(f(g(a))) = a

27 Matching Loops Repeated applications of matching Example  x: P(f(x), f(g(x)) [Trigger f(x)] Can be sometimes avoided by: –Check if the body of the quantifier contains a larger instance of the term –Alternate matching and decisions –User input

28 Limitations of matching Matching loops Not goal oriented Limitations of the theories (  x: P(x+1))  P(1+a)

29 Simplify experience Handles large formulas Robust In many cases complete enough Fully automatic for simple program verification –Cleanness Incompleteness in programs –Deep properties –Shape of dynamically allocated structures But slow on Boolean combinations

30 Verifun : A Theorem Prover Using Lazy Proof Explication Rajeev Joshi Cormac Flanagan, Jim Saxe and Xinming Ou Key ideas: –use SAT solvers to find candidate truth assignments to atomic formulae – have theory modules produce compact “proofs” that are added to the SAT problem to reject all truth assignments containing the “same” inconsistency Requires –proof explicating theory modules Uses Simplify Theories extended with Explication and matching Implemented in Java (~10,500 lines) and in C (~800 lines)

31 Zap: Automated Theorem Proving for Software Analysis Thomas Ball, Shuvendu Lahiri, Madanlal Musuvati (MSR) Use a SAT algorithm for the search procedure Use Nelson&Oppen to combine theories Develop new decision procedures Use quantifier matching Add features for program analysis

32 Conclusion Handling specialized theories yields significant improvements –Efficiency –Termination –Predictability Combination procedures are useful But resolution based theorem provers can still br superior in several cases

Download ppt "The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv."

Similar presentations

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Completeness and Expressiveness

Completeness and Expressiveness
Inference Rules Universal Instantiation Existential Generalization

Inference Rules Universal Instantiation Existential Generalization
UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Automated Reasoning Systems For first order Predicate Logic.

Automated Reasoning Systems For first order Predicate Logic.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.

Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.
1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.

1 Satisfiability Modulo Theories Sinan Hanay. 2 Boolean Satisfiability (SAT) Is there an assignment to the p 1, p 2, …, p n variables such that  evaluates.
Automated Theorem Proving Lecture 4.   Formula := A |  |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct | Select(m,t)

Automated Theorem Proving Lecture 4.   Formula := A |  |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct | Select(m,t)
Yeting Ge Leonardo de Moura New York University Microsoft Research.

Yeting Ge Leonardo de Moura New York University Microsoft Research.
Existential Graphs and Davis-Putnam April 3, 2002 Bram van Heuveln Department of Cognitive Science.

Existential Graphs and Davis-Putnam April 3, 2002 Bram van Heuveln Department of Cognitive Science.
` ² Q E D I Nelson-Oppen review

` ² Q E D I Nelson-Oppen review
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.

Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Similar presentations

Ads by Google