Download presentation
Presentation is loading. Please wait.
1
1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University
2
2 Integrated decision procedures in Theorem-Provers Deciding a combination of theories is the key for automation in Theorem Provers: Boolean operators, Bit-vector, Sets, Linear-Arithmetic, Uninterpreted functions, More … f(f(x)-f(y)) != f(z) & y 10 Uninterpreted functions Linear Arithmetic Bit-Vector operators Normally, each theory is solved with its own decision procedure and the results are combined (Shostak, Nelson..).
3
3 Integrated decision procedures in Theorem-Provers All of these theories, except linear arithmetic, have known efficient direct reductions to propositional logic. Thus, reducing linear arithmetic to propositional logic will: 1. Enable integration of theories in the propositional logic level. 2. Potentially be faster than known techniques.
4
4 Linear Arithmetic and its sub-theories 2x –3y +5z < 0 5x + 2w 2 Some useful methods for solving a conjunction of linear arithmetic expressions: 1.Simplex, Elliptic curve 2.Variable Elimination Methods (Hodes, Fourier-Motzkin,..) 3.Shostak’s loop residues 4.Separation theory: Bellman / Pratt... 5....
5
5 A decision procedure for separation theory Separation predicates have the form x > y + c where x,y are real variables, and c is a constant Pratt [73] (/Bellman[57]): Given a set of conjuncted separation predicates 1. Construct the `inequality graph’ 2. is satisfiable iff there is no cycle with non-negative accumulated weight : ( x > z +3 z > y –1 y > x+1) x y z 3 1
6
6 Handling disjunctions through case splitting All previously mentioned algorithms handle disjunctions by splitting the formula. This can be thought of as a two stage process: 1.Convert formula to Disjunctive Normal Form (DNF) 2.Solve each clause separately, until satisfying one of them. (A common improvement: split ‘when needed’) Case splitting is frequently the bottleneck of the procedure
7
7 So what can be done against case-splitting ? Given a formula , this transformation can be done if ’ s.t. | = | = ’, and ’ is decidable under a finite domain. When is this possible? enjoys the ‘Small model property’, or Tailor-made reduction Answer: Split the domain, not the formula.
8
8 SAT vs. infinite-state decision procedures With finite instantiation (e.g. SAT), we split the domain. Infinite state decision procedures split the formula. So what’s the big difference ?
9
9 SAT vs. infinite-state decision procedures SAT splits the domain. Infinite state decision procedures split the formula. So what’s the big difference ? 1. Pruning. 2. Learning. 3. Guidance (prioritizing internal steps) Three mechanisms, crucial for efficient decision making: SAT has a significant advantage in all three.
10
10 SAT vs. infinite-state decision procedures 1. Pruning. 2. Learning. 3. Guidance (prioritizing internal steps) Three mechanisms, crucial for efficient decision making: SAT has a significant advantage in all three.
11
11 SAT vs. infinite-state decision procedures (1/4) 1. Pruning SAT: each clause c prunes up to 2 |v|-|c| states. Others: ? (stops when finds a satisfiable clause) y x 0 01 1 Backtrack Pruned!. (x y). |v|=1000, |c| =2 Pruning 2 998 states
12
12 SAT vs. infinite-state decision procedures (2/4) 2. Learning SAT: Partial assignments that lead to a conflict are recorded and hence not repeated. Others: (depends on decision procedure) - Adding proved sub-goals as antecedents to new sub-goals - …
13
13 SAT vs. infinite-state decision procedures (3/4) 3. Guidance (prioritizing internal steps) Guidance requires efficient estimation: Consider 1 2, where 1 is unsat and hard, and 2 is sat and easy. With proper guidance, a theorem prover should start from 2. - How hard it is to solve each sub-formula? - To what extent will it simplify the rest of the proof?
14
14 SAT vs. infinite-state decision procedures (4/4) 3. Guidance (cont’d) “..To what extent will it simplify the rest of the proof?” SAT: Guidance through decision heuristics (e.g. DLIS). Others: Expression ordering,... (x y z) (x v) (~x ~z) Estimating simplification by counting literals in each phase
15
15 Example: Equality Logic with Uninterpreted Functions (1/3) Equality Logic with Uninterpreted Functions: (Uninterpreted functions are reducible to equality logic. Thus, we can concentrate on equality logic) Traditional infinite-state decision procedure: Congruence Closure with case splitting.
16
16 Example: Equality Logic (2/3) Since 1998, several groups devised finite-state decision procedures for this theory: Goel et. al. (CAV’98) – Boolean encoding and BDDs Bryant et. al. (CAV’99) – Positive-equality + finite instantiation Pnueli et. al. (CAV’99) – Small domains instantiation Bryant et. al. (CAV’00) – Boolean encoding with explicit constraints
17
17 Example: Equality Logic (3/4) Goel et. al (CAV’98): Encode each equality i=j with a new Boolean variable e ij Construct BDD of encoded formula Search BDD for a consistent path leading to ‘1’. E.g. an assignment to three variables e xy,e yz, e xz is consistent iff e xy + e yz + e xz 2
18
18 Example: Equality Logic (3/3) Let (x=y, y=z, x=z) be the equality predicates in . x y z e xy e xz e yz 2. Impose transitivity on cycles: e xy + e yz + e xz 2 1. Construct the equality graph. The resulting formula is propositional BDDs, SAT, etc. Bryant et. al. (CAV’00): Add transitivity constraints to the formula.
19
19 Example: Equality Logic (cont’d) The number of simple cycles can be exponential. Bryant et. al. Suggested to first make the graph chordal: e1e1 e2e2 e3e3 e4e4 ecec In a chordal graph, every assignment that violates transitivity, also violates transitivity of a triangle. Hence – it is sufficient to impose Transitivity over triangles.
20
20 This work 1.Separation predicates: 2.Separation predicates for integers: 3.Linear arithmetic: 4.Integer linear arithmetic: Extends the results of Bryant et.al. to a Boolean combination of: Done
21
21 Usability Separation predicates: “Most verification conditions involving inequalities are separation predicates” [Pratt, 1973]: Array bounds checks, tests on index variables, timing constraints, worst execution time analysis, etc. Linear arithmetic: All of the above + … + Linear programming, + Integer Linear programming.
22
22 Reducing separation predicates to propositional logic (1/6) : f(x) > f(y+1) : (x=y+1 f 1 =f 2 ) (f 1 >f 2 ) A. Normalize (example): : (x>y+1 y>x-1 (f 1 f 2 f 2 f 1 )) (f 1 >f 2 ) 1. Uninterpreted functions equality logic x y+1 f1=f2f1=f2 Now has no negations and only the ‘>’ and ‘ ’ predicate symbols. 2. Normal form
23
23 Reducing separation predicates to propositional logic (2/6) 1. Reduce Uninterpreted Functions to equalities. 2. Rewrite equalities as conjunction of inequalities, e.g. rewrite x=y+c as x y+c x y+c. 3. Transform to Negation Normal Form, and eliminate negations by reversing inequality signs. 4. Rewrite ‘ ’ and ‘ ’, e.g. rewrite x x – c. A. Normalize (procedure)
24
24 Reducing separation predicates to propositional logic (2/6) : z y-1) : x > z +3 (z > y –1 y x+1) A. Normalizing example:
25
25 x y z 3 1 Reducing separation predicates to propositional logic (3/6) : ( x > z +3 (z > y –1 y x+1)) ’: Transitivity constraints ( )) ( B. Encode + construct graph (example): x y z -3 1 Separation graph: and its dual:
26
26 2. Substitute each predicate in of the form x > y+c with a Boolean variable, and add an edge (x,y,c,>) to E 1. Construct a graph G(V,E), where V = variables in . Each edge e E is a 4-tuple (from, to, weight, {>, }) Reducing separation predicates to propositional logic (4/6) B. Encode predicates and construct a graph (procedure) 3. Substitute each predicate in of the form x y+c with a Boolean variable, and add an edge (x,y,c, ) to E
27
27 x y z 3 1 Reducing separation predicates to propositional logic (5/6) ’: Transitivity constraints ( )) ( C. Add transitivity constraints for each simple cycle (example): ’: (((( )) ( ( x y z -3 1
28
28 c1c1 c3c3 c2c2 1. If there are mixed edges: If total weight is not negative: 2. If all edges are ‘ ’:... 3. If all edges are ‘>’:... If total weight is not positive: C. Add transitivity constraints for each cycle C Reducing separation predicates to propositional logic (6/6)
29
29 Compact representation of constraints (1/4)..... In most cases - yes. e.g. If the diamonds are ‘balanced’ ( c 1 + c 2 = c 3 + c 4 ) O(n) constraints..... c1c1 c2c2 c 1+ c 2 n diamonds 2 n simple cycles. Can we do better than that ? c3c3 c4c4
30
30 Compact representation of constraints (2/4) Chordal graphs: each cycle of size greater than 3, has a ‘chord’. In the equality predicates case: Let C be a cycle in G Let be an assignment that violates C’s transitivity ( | C) Theorem: there exists a cycle c of size 3 in G s.t. | c Conclusion: add transitivity constraints only for triangles. Now only a polynomial no. of constraints is required. G:G:
31
31 Compact representation of constraints (3/4) Our case is more complicated: G is directed G is a multi-graph Edges have weights There are two types of edges G is chordal iff: Every directed cycle of size greater than 3 has a chord which ‘accumulates’ the weight of the path between its ends. c1c1 c2c2 c3c3 c4c4 c 1+ c 2 c5c5
32
32 Compact representation of constraints (4/4) Complexity of making the graph chordal: 1. If the diamonds are ‘balanced’ O(n) constraints 3. Worst case O(2 n )..... c1c1 c1c1 c1c1 c1c1 c2c2 c2c2 c2c2 c2c2 2. If there are uniform weights c 1 and c 2, c 1 c 2 on top and bottom paths O(n 2 ) constraints
33
33 Extension to integer variables (1/2) Given with integer separation predicates, derive R : Declare all variables as real. Replace x > y + c, x y + c where c is not an integer, with x y + c For each predicate x > y + c, add a constraint x > y + c x y + c + 1 Theorem: is satisfiable iff R is satisfiable
34
34 Extension to integer variables (1/2) Given with integer separation predicates, derive R : Declare all variables as real. Theorem: is satisfiable iff R is satisfiable (c is an integer) For each predicate x > y + c, add a constraint x > y + c x y + c + 1
35
35 Extension to integer variables (2/2) : x,y: int; x > y + 1 x < y + 2 Example: R : x,y: real; x > y + 1 y > x - 2 (x > y + 1 x y + 2) (y > x - 2 y x – 1)
36
36 Experimental results (1/3)..... n diamonds Each diamond has 2d edges Top and bottom paths in each diamond are disjuncted. There are 2 n conjuncted cycles. By adjusting the weights, we ensured that there is a single satisfying assignment. d=2
37
37 Experimental results (2/3) To be continued...
38
38 Experimental results (3/3) To be continued... The procedure has recently been integrated into SyMP and Euclid. We currently experiment with real software verification problems.
39
39 Experimental results (1/2)..... n diamonds Each diamond has 2d edges Top and bottom paths in each diamond are disjuncted. There are 2 n conjuncted cycles. By adjusting the weights, we ensured that there is a single satisfying assignment. d=2
40
40 Next: Linear Arithmetic (1/2) x > y + c x y c c1c1 c3c3 c2c2 Adding constraints according to accumulated cycle weight: The test c 1 + c 2 + c 3 > 0 results in a yes/no answer Separation predicates:
41
41 Next: Linear Arithmetic (2/2) x > y + 2 z + c x y 2 z + c 3 3 2 2 x y The test 1 + 2 + 3 > 0 results in a new predicate! Shostak[81]: ‘Deciding linear inequalities by computing loop residues’ - Determine a fixed variable order - Represent each predicate by its two ‘highest’ variables This procedure guarantees termination. Linear Arithmetic:
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.