1

A propositional world

Ofer Strichman

School of Computer Science, Carnegie Mellon University

2

Integrated decision procedures in Theorem-Provers

Deciding a combination of theories is the key for automationin Theorem Provers:

Boolean operators, Bit-vector, Sets, Linear-Arithmetic,Uninterpreted functions, More …

f(f(x)-f(y)) != f(z) & y <=x + 2 | b & 3 > 10

Uninterpreted functions

Linear Arithmetic

Bit-Vectoroperators

Normally, each theory is solved with its own decision procedure andthe results are combined (Shostak, Nelson..).

3

Integrated decision procedures in Theorem-Provers

All of these theories, except linear arithmetic, have knownefficient direct reductions to propositional logic.

Thus, reducing linear arithmetic to propositional logic will:

1. Enable integration of theories in the propositional logic level.

2. Potentially be faster than known techniques.

4

Linear Arithmetic and its sub-theories},,,,{

iii cxa

2x –3y +5z < 05x + 2w 2

Some useful methods for solving a conjunction of lineararithmetic expressions: 1. Simplex, Elliptic curve2. Variable Elimination Methods (Hodes, Fourier-Motzkin,..)3. Shostak’s loop residues4. Separation theory: Bellman / Pratt ...5. ...

5

A decision procedure for separation theory

Separation predicates have the form x > y + cwhere x,y are real variables, and c is a constant

Pratt [73] (/Bellman[57]): Given a set of conjuncted separation predicates 1. Construct the `inequality graph’ 2. is satisfiable iff there is no cycle with non-negative

accumulated weight

: ( x > z +3 z > y –1 y > x+1)

x

y z

31

-1

6

Handling disjunctions through case splitting

All previously mentioned algorithms handle disjunctionsby splitting the formula.

This can be thought of as a two stage process:

1. Convert formula to Disjunctive Normal Form (DNF)2. Solve each clause separately, until satisfying one of them.

(A common improvement: split ‘when needed’)

Case splitting is frequently the bottleneck of the procedure

7

So what can be done against case-splitting ?

Given a formula , this transformation can be done if ’ s.t. |= |= ’, and ’ is decidable under a finite domain.

When is this possible?

• enjoys the ‘Small model property’, or• Tailor-made reduction

Answer: Split the domain, not the formula.

8

SAT vs. infinite-state decision procedures

With finite instantiation (e.g. SAT), we split the domain.

Infinite state decision procedures split the formula.

So what’s the big difference ?

10

SAT vs. infinite-state decision procedures

1. Pruning.

2. Learning.

3. Guidance (prioritizing internal steps)

Three mechanisms, crucial for efficient decision making:

SAT has a significant advantage in all three.

11

SAT vs. infinite-state decision procedures (1/4)

1. Pruning

SAT: each clause c prunes up to 2|v|-|c| states.

Others: ? (stops when finds a satisfiable clause)

y

x0

01

1

Backtrack

Pruned!

.(x y) . .

|v|=1000, |c| =2Pruning 2998 states

12

SAT vs. infinite-state decision procedures (2/4)

2. Learning

SAT: Partial assignments that lead to a conflict are recorded andhence not repeated.

Others: (depends on decision procedure) - Adding proved sub-goals as antecedents to new sub-goals

- …

13

SAT vs. infinite-state decision procedures (3/4)

3. Guidance (prioritizing internal steps)

Guidance requires efficient estimation:

Consider 1 2, where 1 is unsat and hard, and 2 is sat and easy.

With proper guidance, a theorem prover should start from 2.

- How hard it is to solve each sub-formula?

- To what extent will it simplify the rest of the proof?

14

SAT vs. infinite-state decision procedures (4/4)

3. Guidance (cont’d)

“..To what extent will it simplify the rest of the proof?”

SAT: Guidance through decision heuristics (e.g. DLIS).

Others: Expression ordering, ...

(x y z)(x v)(~x ~z)

Estimating simplification by counting literals

in each phase

15

Example: Equality Logic with Uninterpreted Functions (1/3)

Equality Logic with Uninterpreted Functions:

))(),((),()()( 2121 yfxfgzuugzyfuxfu

(Uninterpreted functions are reducible to equality logic. Thus, we can concentrate on equality logic)

Traditional infinite-state decision procedure:Congruence Closure with case splitting.

16

Example: Equality Logic (2/3)

Since 1998, several groups devised finite-state decision procedures for this theory:

• Goel et. al. (CAV’98) – Boolean encoding and BDDs

• Bryant et. al. (CAV’99) – Positive-equality + finite instantiation

• Pnueli et. al. (CAV’99) – Small domains instantiation

• Bryant et. al. (CAV’00) – Boolean encoding with explicit constraints

18

Example: Equality Logic (3/3)

Let (x=y, y=z, x=z) be the equality predicates in .

x

y z

exyexz

eyz

2. Impose transitivity on cycles: exy + eyz + exz 2

1. Construct the equality graph.

The resulting formula is propositional BDDs , SAT, etc.

Bryant et. al. (CAV’00): Add transitivity constraints to the formula.

20

This work

1. Separation predicates:

2. Separation predicates for integers:

3. Linear arithmetic:

4. Integer linear arithmetic:

czyxyx 232;real:,

cyxyx ;real:,

cyxyx int;:,

czyxyx 232int;:,

Extends the results of Bryant et.al. to a Boolean combination of:

Done

},{

21

Usability

Separation predicates: “Most verification conditions involving inequalities are separation predicates” [Pratt, 1973]: Array bounds checks, tests on index variables, timing constraints,

worst execution time analysis, etc.

Linear arithmetic: All of the above + …+ Linear programming, + Integer Linear programming.

22

Reducing separation predicates to propositional logic (1/6)

: f(x) > f(y+1)

: (x=y+1 f1=f2) (f1>f2)

A. Normalize (example):

: (x>y+1 y>x-1 (f1 f2 f2 f1)) (f1>f2)

1. Uninterpreted functions equality logic

xy+1 f1=f2

Now has no negations and only the ‘>’ and ‘’ predicate symbols.

2. Normal form

25

x

y z

31

-1

Reducing separation predicates to propositional logic (3/6)

: ( x > z +3 (z > y –1 y x+1))

e yz ,1

, e xy,1,’:

Transitivity constraintse zx

,3, ( ))(

B. Encode + construct graph (example):

x

y z

-3-1

1

Separationgraph:

and itsdual:

27

x

y z

31

-1

Reducing separation predicates to propositional logic (5/6)

e yz ,1

, e xy,1,’:

Transitivity constraintse zx

,3, ( ))(

C. Add transitivity constraints for each simple cycle (example):

’: (( ))e zx,3, e yz

,1, e xy

,1, e yz

,1, e xy

,1,e zx

,3, ( ))(

x

y z

-3-1

1

29

Compact representation of constraints (1/4)

.....

In most cases - yes.

e.g. If the diamonds are ‘balanced’ (c1 + c2 = c3 + c4) O(n) constraints

.....c1c2

c1+ c2

n diamonds 2n simple cycles.

Can we do better than that ?

c3c4

30

Compact representation of constraints (2/4)

Chordal graphs: each cycle of size greater than 3, has a ‘chord’.

In the equality predicates case:Let C be a cycle in GLet be an assignment that violates C’s transitivity ( | C)

Theorem: there exists a cycle c of size 3 in G s.t. | c

Conclusion: add transitivity constraints only for triangles.

Now only a polynomial no. of constraints is required.

G:

31

Compact representation of constraints (3/4)

Our case is more complicated:• G is directed• G is a multi-graph • Edges have weights• There are two types of edges

G is chordal iff: Every directed cycle of size greater than 3 has a chord which ‘accumulates’ the weight of the path between its ends.

c1c2

c3 c4

c1+ c2

c5

32

Compact representation of constraints (4/4)

Complexity of making the graph chordal:

1. If the diamonds are ‘balanced’ O(n) constraints

3. Worst case O(2n)

.....c1c1c1c1

c2c2c2c2

2. If there are uniform weights c1 and c2, c1 c2 on top and bottom

paths O(n2) constraints

34

Extension to integer variables (1/2)cyxyx int;:,

Given with integer separation predicates, derive R:

• Declare all variables as real.

Theorem: is satisfiable iff R is satisfiable

(c is an integer)

• For each predicate x > y + c, add a constraint x > y + c x y + c + 1

36

Experimental results (1/3)

.....

n diamonds

Each diamond has 2d edges

Top and bottom paths in each diamond are disjuncted.

There are 2n conjuncted cycles.

By adjusting the weights, we ensured that there is a single

satisfying assignment.

d=2

37

Experimental results (2/3)

n d ICS PVS CoqGraphanalysis Chaff

3 2 < 1 < 1 < 14 2 5.9 < 1 < 15 2 95.1 < 1 < 1

7 4 > 104 > 104 < 1 < 1

100 5 > 104 32 < 1

250 5 > 104 754 1.6

500 5 > 104 > 104

To be continued...

38

Experimental results (3/3)

M odel Steps ICS Graphanalysis Chaff

Load - 1 < 1 < 1 < 1store 2 87.1 < 1 < 1

unit 3 > 104 90 1Out-of- 2 < 1 < 1 < 1

order-unit 3 > 104 2.9 < 1Cache- 1 < 1 < 1 < 1Protocol 2 1.8 < 1 < 1

To be continued...

The procedure has recently been integrated into SyMP and Euclid.We currently experiment with real software verification problems.

40

Next: Linear Arithmetic (1/2)

x > y + c x yc

c1c3

c2

Adding constraints according to accumulated cycle weight:

The test c1 + c2 + c3 > 0 results in a yes/no answer

Separation predicates:

41

Next: Linear Arithmetic (2/2)

x > y + 2z + c x y2z + c

2z + c 3

2

x

yThe test 1 + 2 + 3 > 0 results in a new predicate!

Shostak[81]: ‘Deciding linear inequalities by computing loop residues’- Determine a fixed variable order- Represent each predicate by its two ‘highest’ variables

This procedure guarantees termination.

Linear Arithmetic: