CAV 2007

19th International Conference on

Computer-Aided Verification

July 2007, Berlin, Germany

SMT 2007:

5th International Workshop on

Satisfiability Modulo Theories

July 1-2, 2007

Proceedings

Editors:

Sava Krstic, Albert Oliveras

Preface

This volume contains the proceedings of SMT 2007, the 5th InternationalWorkshop on Satisfiability Modulo Theories (formerly called PDPAR), held inBerlin, Germany, on July 1-2, 2007. The workshop was affiliated with the 19thInternational Conference on Computer-Aided Verification (CAV 2007).

The aim of the workshop was to bring together researchers working on SMTand users of SMT techniques, and to provide a forum for discussing new de-cision procedures and new theories of interest, combinations of decision proce-dures, novel implementation techniques, benchmarks and evaluation methodolo-gies, and theoretical results related to SMT.

Following the initiative started at PDPAR’06, we allowed not only originalpapers, but also “presentation-only papers”, which were high-quality works pre-viously published in other venues. The intention was to provide additional accessto important developments that SMT 2007 attendees may be unaware of.

The final program included:

• invited talks by Peter O’Hearn (Queen Mary, University of London) andRupak Majumdar (University of California, Los Angeles)

• 9 technical paper presentations, including 5 original papers and 4 “presentation-only”

• a panel on the SMT-LIB language• a session dedicated to the SMT competition (SMT-COMP), where the par-

ticipants briefly described their tools

We gratefully acknowledge the financial support of Microsoft Research andIntel Corporation.

Sava Krstic and Albert OliverasSMT 2007 co-chairs

Hillsboro and Barcelona, July 2007

Programme Chairs

Sava Krstic (Intel Corporation)Albert Oliveras (Universitat Politecnica de Catalunya)

Programme Committee

Clark Barrett (New York University)Alessandro Cimatti (ITC-IRST, TrentoByron Cook (Microsoft Research,Cambridge)Amit Goel (Intel Corporation)Aarti Gupta (NEC Labs America)Shuvendu Lahiri (Microsoft Research, Redmond)Leonardo de Moura (Microsoft Research, Redmond)Robert Nieuwenhuis (Universitat Politecnica de Catalunya)Silvio Ranise (LORIA, Nancy)Roberto Sebastiani (Universia di Trento)Ofer Strichman (Technion)Cesare Tinelli (University of Iowa)Ashish Tiwari (SRI International)

Table of Contents

Invited talks.

Proofs and Counterexamples (invited talk) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Rupak Majumdar

Proof Procedures for Separated Heap Abstractions (invited talk) . . . . . . . . . 2Peter O’Hearn

Original papers.

Encoding First Order Proofs in SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Jeremy Bongio, Cyrus Katrak, Hai Lin, Ralph Eric McGregor, Christo-pher Lynch, Yuefeng Tang

cc(X): Efficiently Combining Equality and Solvable Theories without Can-onizers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Sylvain Conchon, Evelyne Contejean, Johannes Kanig

E-matching for Fun and Profit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Michal Moskal, Jakub Lopuszanski, Joseph Kiniry

Generating minimum transitivity constraints in P-time for deciding Equal-ity Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Ofer Strichman, Mirron Rozanov

Model-based Theory Combination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Leonardo de Moura, Nikolaj Bjorner

Presentation-only papers.

Solving Quantified Verification Conditions using Satisfiability Modulo The-ories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Yeting Ge, Clark Barrett, Cesare Tinelli

Combination Methods for Model-Checking of Infinite-State Systems . . . . . . 59Silvio Ghilardi, Enrica Nicolini, Silvio Ranise, Daniele Zucchelli

Deciding Unbounded Heaps in an SMT Framework . . . . . . . . . . . . . . . . . . . . . 60Zvonimir Rakamaric, Roberto Bruttomesso, Alan Hu, Alessandro Cimatti

Efficient E-matching for SMT Solvers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Leonardo de Moura, Nikolaj Bjorner

Proofs and Counterexamples(Invited talk)

Rupak Majumdar

University of California, Los Angelesrupak@cs.ucla.edu

Abstract. Finding precise yet small abstractions automatically has beenone of the biggest challenges in software verification. In this talk, Ishall outline some recent work in generating abstractions automaticallythrough the analysis of counterexample traces. Decision procedures playa fundamental role in this process, both to check whether a counterexam-ple is genuine or spurious, and to generate abstract explanations in casethe counterexample is spurious. Conversely, algorithms for counterexam-ple analysis have influenced the interface exposed by a modern decisionprocedure: in addition to a ”yes/no” decision, the decision proceduremust produce proofs of unsatisfiability and interpolants.

Proof Procedures for Separated HeapAbstractions

(Invited talk)

Peter O’Hearn

Queen Mary, University of Londonohearn@dcs.qmul.ac.uk

Abstract. Separation logic is a program logic geared towards reason-ing about programs that mutate heap-allocated data structures. Thistalk describes ideas arising from joint work with Josh Berdine and Cris-tiano Calcagno on proof procedure for a sublogic of separation logic thatis oriented to lightweight program verification and analysis. The prooftheory uses ideas from substructural logic together with induction-freereasoning about inductive definitions of heap structures. Substructuralreasoning is used to to infer frame axioms, which describe the portion ofa heap that is not altered by a procedure, as well as to discharge verifi-cation conditions; more precisely, the leaves of failed proofs can give uscandidate frame axioms. Full automation is achieved through the use ofspecial axioms that capture properties that would normally be provenusing by induction.I will illustrate the proof method through its use in the Smallfoot staticassertion checker, where it is used to prove verification conditions andinfer frame axioms, as well as in the Space Invader program analysis,where it is used to accelerate the convergence of fixed-point calculations.

Encoding First Order Proofs in SMT

Jeremy Bongio Cyrus Katrak Hai LinChristopher Lynch Ralph Eric McGregor ∗

June 4, 2007

Abstract

We present a method for encoding first order proofs in SMT. Ourimplementation, called ChewTPTP-SMT, transforms a set of first or-der clauses into a propositional encoding (modulo theories) of the ex-istence of a rigid first order connection tableau and the satisfiability ofunification constraints, which is then fed to Yices. For the unificationconstraints, terms are represented as recursive datatypes, and unifica-tion constraints are equations on terms. The finiteness of the tableauis encoded by linear real arithmetic inequalities. We compare our im-plementation with our previous implementation ChewTPTP-SAT, en-coding rigid connection tableau in SAT, and show that for Horn clausesmany fewer propositional clauses are generated by ChewTPTP-SMT,and ChewTPTP-SMT is much faster than ChewTPTP-SAT. This isnot the case for our non-Horn clause encoding. We explain this, andwe conjecture a rule of thumb on when to use theories in encoding aproblem.

1 Introduction

Recent techniques in SAT solving have resulted in extremely fast proce-dures for solving propositional satisfiability problems[8], based on the DPLLmethod[4]. As an application of these techniques, we have developed anautomated theorem prover called ChewTPTP-SAT[6], which encodes rigidfirst order theorem proving problems as SAT problems, and solves thoseSAT problems using Minisat[8].

Rigid unsatisfiability has been studied has early as [3, 1]. A set of firstorder clauses is rigidly unsatisfiable if and only if there exists a closed rigidconnection tableau for that set of clauses[10]. Our encoding uses this factand solves the satisfiability of a set of rigid clauses by encoding the existenceof a rigid connection tableau in SAT.

A set of Horn clauses is encoded by creating propositional clauses rep-resenting the following requirements of a tableau T : (1) The root of the

∗Clarkson University

tableau must be a clause with only negative literals. (2) If a clause is in thetableau, then all its negative literals are in the tableau. (3) If a negativeliteral is in the tableau, then it must be extended by some clause (4) If anegative literal ¬A is extended by a clause C, then A must unify with thepositive literal in C. (5) All unifications must be consistent with each other.(6) The tableau must be finite, i.e., there is no cycle.

For connection tableaux for non-Horn clauses, literals are either extendedor complementary to an ancestor literal in its branch. For efficiency reasons,we choose to encode a clause tableau as a DAG. So there may be manybranches from the root to a node. Therefore, we encode the fact that eachliteral L in the tableau must either be extended or all paths from the root tothat node must contain a literal complementary to L. A tableau may havethe same clause on different branches, and those branches may be closedwith different literals. Therefore, we may have to add more instances ofclauses to find a closed tableau. This cannot be avoided, since rigid Hornclause satisfiability is NP -complete, but rigid non-Horn clause satisfiabilityis Σp

2-complete[9]. However, because of the DAG structure, we can oftenencode many instances of a clause with just one instance. Since we encoderigid proofs, the proof of unsatisfiability of a set of clauses may requirerepeating the encoding with fresh variants of each clause. However, thereare also applications which really require rigid proofs[5].

Our original ChewTPTP-SAT implementation[6] performed well on someproblems, but some of the encodings created huge sets of clauses. Some partsof our encoding represented choices made, such as which clause to extendeach literal with. But other parts of our encoding represented deterministicprocedures, such as deciding the consistency of unification constraints anddeciding the acyclicity of the DAG, which verifies that a particular propertyholds of the DAG. Furthermore, in experimental results with Horn clauses,approximately 99% of the clauses generated were encoding the determinsticprocedures, and only about 1% of represented the choices. We had an eagerencoding of unfication and acyclicity. We decided the implementation wouldbe more efficient if unification and acyclicity were encoded lazily and im-plemented these changes in ChewTPTP-SMT. It makes sense to expresseschoices involved in building the tableau using SAT, and verifcation of uni-fication and acyclicity using underlying theories. Therefore, we chose toencode our problem as Satisfiability modulo Theories[12], and we replacedMinisat[8] with Yices[7].

Yices has a theory for recursive datatypes, which can be used to representterms. A term can be defined by using function symbols as constructors.Each function symbol of arity n is a constructor with n arguments. Con-stants are constructors with no arguments. Predicate symbols are viewedthe same as function symbols. Variables are instances of terms. Then unifi-cation is represented as usual as equality of terms. We represent acyclicityusing linear arithmetic. Consider a graph G = (V,E). If an edge (u, v)

exists in E, then we assert an inequality xu < xv for some real numbers xu

and xv. Then G is acyclic if and only if the set of inequalities is consistent.In this paper, we describe our implementation of ChewTPTP-SMT, and

compare our results with ChewTPTP-SAT. We show that in the Horn en-coding, ChewTPTP-SMT produces far fewer clauses than ChewTPTP-SAT.The time needed to decide the satisfiability is also drastically reduced. Thisis not the case for non-Horn clauses. We explain why this is the case andgive a rule of thumb for when theories should be used for encoding.

2 Clausal Tableau

See [2] for a detailed description of first order logic and a background dis-cussion on the validity of a first order logic formula.

We use the following definition of tableau [10].

Definition 1 Clausal tableaux are trees with nodes labeled with literals andbranches labeled either open or closed. Clausal tableaux are inductively de-fined as follows. Let S = {C1...Cn} be a set of clauses. If T is a treeconsisting of a single unlabeled node N then T is a clausal tableau for S.The branch consisting of only the root node N is open. If N is a leaf nodeon an open branch B in the tableaux T for S and one of the following in-ference rules are applied to T then the resulting tree is a clausal tableauxfor S. (Expansion rule) Let Ck be a clause in S. Replace each variable inCk with a new variable not appearing in T . Suppose Lk1 ∨ ... Lki is theresulting clause. Construct a new tableaux T ′ by adding i nodes to N andlabeling them Lk1 through Lki. Label each of the i branches open. T ′ is aclausal tableaux for S. (Closure rule) Suppose Lij is the literal at N and forsome predecessor node with literal Lpq such that Lij and ¬Lpq are unifiable.Construct T ′ from T by applying the unifier to T and labeling the branchcontaining Lij as closed. T ′ is a clausal tableaux for S.

A clause which is added to the root node is called the start clause andwe say that a clause is in a tableaux if the clause was used in an applicationof the expansion rule.

Definition 2 A clausal tableaux is tightly connected if each clause (exceptthe start clause) in the tableaux contains some literal which is unifiable withthe negation of its predecessor.

Connected clausal tableaux use an additional rule called extension rule.

Definition 3 (Extension Rule) Let N be a node in the tableau T and letCk be a clause in S such that there exists a literal Lik in Ck which is unifiablewith the negation of N . Apply the expansion rule with Ck and immediatelyapply the closure rule with Lik.

Definition 4 The calculus for connection tableaux consists of the expansionrule (for the start clause only), the closure rule, and the extension rule.

We call a tableau closed if each leaf node has been closed by an ap-plication of the closure rule. By [11] we can require that the start clauseis a negative clause since there exists a negative clause in any minimallyunsatisfiable set.

2.1 Rigid Unsatisfiability

The main problem in Automated Theorem Proving is to determine if aset of hypotheses implies a conclusion, or equivalently that a formula Fis unsatisfiable. We will assume that F is in CNF. The problem of rigidunsatisfiability of F is to determine whether there exists a ground instanceof F which is unsatisfiable. A rigid tableau is a tableau in which multipleinstances of a clause appearing in the tableau are identical copies of theclause appearing in F . One result of Tableaux Theory is the completenessand soundness of closed connection tableaux.

Theorem 1 There exists a closed connection (rigid) tableau for F iff F is(rigidly) unsatisfiable[10].

3 Tableau Encoding

Our method to determine the rigid unsatisfiability of F generates a set S ofpropositional logic clauses modulo the theories of unification and inequalitiesfor F which encodes a rigid closed connection tableau for F and tests thesatisfiability of S with a SMT solver.

We provide two encodings, the first for problems containing only Hornclauses and the second for those containing non-Horn clauses. Given F weenumerate each of the clauses in F and each of the literals in each clause.We denote clause i by Ci and denote the jth literal in clause i by Lij . Wedenote Aij to be the atom of Lij . Therefore Lij is either of the form Aij or¬Aij .

3.1 Encoding for Horn Clauses

Let F be a set of first order logic formulas. We define a set of variables cm,lmn, emnq, disjoint from the symbols in F , as follows: Define cm = T iff Cm

appears in the tableau. Define lmn = T iff Lmn is an internal node in thetableau. Define emnq = T iff Cq is an extension of Lmn. For each pair ofclauses Ci and Cj we define xi < xj = T (where xi and xj do not exist inF ) iff there exists a path from Ci to Cj . For each pair of atoms Ai and Aj

in F , we define (Ai = Aj) = T iff Ai and Aj are the two atoms involved inan application of the closure rule.

Below we list the set of clauses that we generate and provide their mean-ing.

At least one clause containing only negative literals appears in the tableau:∨Cm is a negative clause

cm (1)

If Cm appears in the tableau and Lmn is a negative literal then Lmn isan internal node in the tableau:

cm ⇒ lmn (2)

If Lmn is an internal node in the tableau then for some qj , Cqj is anextension of Lmn:

lmn ⇒ (emnq1 ∨ ... ∨ emnqk) (3)

where {Cq1 ...Cqk} represent the set of all clauses whose positive literals are

unifiable with Lmn

If Cq is an extension of Lmn then Cq exists in the tableau:

emnq ⇒ cq (4)

If Cq is an extension of Lmn and Lqr is the positive literal in Cq thenAmn and Aqr are unifiable:

emnq ⇒ (Amn = Aqr) (5)

If Cq is an extension of Lmn then there is a path from Cm to Cq:

emnq ⇒ (xm < xq) (6)

The encoding is satisfiable if and only if the original set of first orderHorn clauses is rigidly unsatisfiable. We encode non-rigid unsatisfiability bycontinually adding new instances of each clause, standardized apart.

3.2 Encoding for Non-Horn Clauses

For non-Horn problems we use a different set of variables and generate adifferent set of clauses. Note: we say that two literals are complementary ifthey have opposite signs and their atoms are unifiable.

We define the variables, disjoint from the symbols in F, sm, cmn, lmn,emnqj , oijkl and qmnij as follows. Define sm = T iff Cm is the start clause.Define cmn = T iff Cm appears in the tableau and Lmn is complementaryto its parent. Define lmn = T iff Lmn is a node in the tableau and is not aleaf node created by an application of the extension rule. Define emnqj = Tiff Cq is an extension of Lmn and Lqj is the complement of Lmn. Defineoijkl = T iff Lij and Lkl are a pair of literals used in a closure but not by

the extension rule. If a path to a node N contains the complement of N ,then we say that the path is closed. Define qmnij = T iff Lmn is a leaf andLij is a node on a path from the root node to Lmn and every path from theroot to Lij contains a complement of Lmn. For each pair of clauses Ci andCj we define xi < xj = T (where xi and xj do not exist in F ) iff there existsa path from Ci to Cj . For each pair of atoms Ai and Aj in F , we define(Ai = Aj) = T iff Ai and Aj are the two atoms involved in an applicationof the closure rule.

The clauses are as follows.There exists a start clause in the tableau which only contains negative

literals: ∨sm is a negative clause

sm (7)

If Cm is the start clause in the tableau then each literal Lmn of Cm is inthe tableau:

sm ⇒ lmn (8)

If Ci appears in the tableau and Lij is the complement of a literal in itsparent then all other literals of Ci are in the tableau:

cij ⇒ lik where j 6= k (9)

If Lij exists in the tableau and is not a leaf node created by an applicationof the closure rule then either every branch ending at Lij is closed or thereis an extension of Lij :

lij ⇒ (qijij ∨ (∨k,l

eijkl)) (10)

If Lij is extended with Ck then Ck is in the tableau and some Lkl of Ck

is the complement of Lij :eijkl ⇒ ckl (11)

If clause Cm is an extension of Lij and literals Lij and Lml are comple-ments then Aij and Aml are unifiable.

eijml ⇒ (Aij = Aml) (12)

If Lij and Lkl are a pair used in a closure then they must be unifiable:

oijkl ⇒ (Aij = Akl) (13)

If Lij has the same sign as Lkl or their respective atoms are not unifiablethen they are not complements:

¬oijkl where Lij and Lkl are not unifiable (14)

If every path through Lkl to leaf Lij is closed and Ck is an extension ofLmn then either Lij is a complement of Lmn or every path through Lmn toLij is closed:

qijkl ⇒ (emnkp ⇒ (oijmn ∨ qijmn)) (15)

If Ck is an extension of Lij then there is a path from clause Ci to clauseCk:

eijkl ⇒ (xi < xk) (16)

If Ci is the start clause then there are no inferences into any of the literalsin Ci:

si ⇒ ¬eklij (17)

If Ci is the start clause, Lmn is a leaf, and all paths that traverse Lij toLmn are closed, then Lij and Lmn are complementary:

si ⇒ (qmnij ⇒ omnij) (18)

We represent our tableau as a DAG, so there is some structure sharing.But even with the structure sharing, a non-Horn clause tableau may needmore than one instance of the same clause. Rigid unsatisfiability could bedetermined by continually adding identical instances of a clause. Non-Hornencoding could also be extended to the non-rigid case in the same way asthe Horn encoding.

4 Implementation and Experimental Results

We have implemented our tableau encoding in our theorem prover ChewTPTP-SMT, which is an extension of ChewTPTP-SAT[6]. In ChewTPTP-SAT,instead of using theories, we encoded the consistency of the unifiers and theacyclicity of the tableau with additional propositional clauses. To encodethe consistency of the unifiers, we encoded the equations that would be cre-ated if a unification algorithm was run. We do not know ahead of time whichunifiers we will have to create, so we encode everything that can possiblyoccur when the unification algorithm is run. To encode the absence of acycle, we encode the existence of a path from one clause to another and thefact that there is no path from a clause to itself. This requires encoding allpossible transitivity and irreflexivity axioms that may occur.

Our implementation allows the user to decide whether ChewTPTP en-codes the problem as a SAT problem or an SMT problem. If the user choosesSMT, our implementation uses Yices to test the satisfiability of the encod-ing. If the user chooses SAT, then the user can also choose whether to testthe satisfiability using Yices or Minisat, with a DIMACS encoding of SAT.

We tested our prover in all three settings on a subset of TPTP[13] prob-lems. Results of the experiments can be found in an extended form of this

paper 1. SMT-Y denotes our prover run in SMT mode, SAT-Y is SAT modeusing Yices, and SAT-M is SAT mode using Minisat. For Horn clauses, weran ChewTPTP on all the Horn problems in the TPTP database, but fornon-Horn we only had time to run it through the GRP problems. We re-port all problems that both provers solved within five minutes but SAT-Mtook greater than one second. We believe the problems in these tables arerepresentative of the overall results. Columns in the table show the runningtime of each method, the clause generation time rounded off to the nearestsecond, the number of clauses generated, and the number of variables gen-erated for each method. We also show whether or not the problem is rigidlysatisfiable. For these experiments, we only tested rigid satisfiability withone instance of each clause.

We wanted to see if working modulo theories would improve the per-formance of ChewTPTP. In the Horn case the running time was reducedsignificantly, except for a small percentage of exceptions. In the non-Horncase, working modulo theories often increased the running time. Gener-ally, Yices was faster than Minisat on SAT problems without theories. Webelieve we have an explanation for our results. In the Horn problems thenumber of clauses is reduced by an order of magnitude, whereas in the non-Horn problems the number of clauses is not reduced by much. This impliesthat working modulo theories is only useful when the clauses size is reducedsignificantly.

In the Horn encoding, everything can be encoded in O(n2) except for theencoding of unification and acyclicity, which require O(n3) space. When weremove the clauses used to represent unification and acyclicity, the numberof clauses is now O(n2). However, for the encoding of non-Horn clauses,we must encode the fact of a leaf node having a complementary literal asan ancestor. This encoding is O(n3). We do not know how to encode thisusing the theories of Yices, so we have kept the propositional encoding.Therefore, when we remove the encoding of unification and acyclicity, theentire coding of the problem is still O(n3). We conjecture a good rule ofthumb for deciding when it is useful to encode properties using theories.We conjecture that if the number of clause can be reduced by a factor ofn, then the coding is useful, but if the asymptotic complexity remains thesame, then it is not a good idea.

5 Conclusion

We have given an application of SMT to theorem proving in first order logicby encoding the existence of a rigid connection tableau in SMT. We haveimplemented the SMT encoding in our theorem prover ChewTPTP-SMT.

1http://www.clarkson.edu/˜clynch/papers/chewTPTP-SMT.pdf

We compared it with our initial version of ChewTPTP-SAT, where a rigidconnection tableau was encoded in SAT.

Compared to our encoding in SAT, the encoding in SMT is more naturaland more efficient. As part of our encoding, we need to encode the solvingof unification problems and the acyclicity of the tableau. In SAT, it wasnecessary to add cubically many clauses to encode the solving of unifica-tion. In addition, it was necessary to add cubically many clauses to encodethe acyclicity of the tableau. However, when encoding this information inSMT, there was no need to encode the solving of unification, since this wasaccomplished directly with the Yices recursive datatype theory. The num-ber of unification clauses was reduced from a cubic to a quadratic number.Similarly for acyclicity of tableau, we did not need to encode the transitivityand irreflexivity of the path relation. We only needed to express edges inthe tableau as inequalities. The number of clauses to represent acyclicityalso dropped from a cubic number to a quadratic number.

In the Horn encoding, all the other information in the tableau can alsobe encoded with a quadratic number of clauses. Therefore the entire encod-ing of the existence of a tableau dropped from a cubic number of clausesin SAT to a quadratic number in SMT. This drastically reduced the num-ber of clauses, and simultaneously decreased the time needed to decide thesatisfiability of the clauses

There was only a small reduction in number of clauses for non-Hornclauses, because we still need to encode the fact that all paths in the tableaucan be closed. Therefore the entire encoding is still cubic, and the runningtime was actually worse. We conjecture a rule of thumb saying that it isworthwhile to use theories if the number of clauses is reduced by a factor ofn, but not worthwhile if the asymptotic number remains the same.

For future work, we hope to be able to use SMT to further reduce therepresentation for non-Horn clauses, ideally cutting it down to a quadraticnumber of clauses. It would be possible to define a theory to do this directly,but we have not yet figured out how to do it with the existing theories inYices. In addition, in order to prove the general first order problem we alsoneed to find a good way to decide exactly which clauses should be copied.We would like a method to decide satisfiability from rigid satisfiability. Itwould be useful to have an encoding of rigid clauses modulo a non-rigidtheory, as discussed in [5]. This way, we could immediately identify someclauses as non-rigid, and work modulo those clauses.

Acknowledgments

We would like to thank Leonardo de Moura for his explanation of how toexpress unification problems in Yices using recursive datatypes.

References

[1] Andrews P. B. [1981], Theorem Proving via General Matings, Journalof the Association for Computing Machinery, Vol. 28, No. 2, pp.193-214

[2] Bell J.L. and Slomson A.B. [1969], Models and Ultraproducts, An In-troduction, Dover

[3] Chang, C. and Lee, C.R. [1973], Symbolic Logic and Mechanical The-orem Proving. Academic Press New York and London.

[4] Davis M., Logemann D. and Loveland D. [1962], A Machine ProgramFor Theorem Proving, Communications of the ACM, Volume 5 , Issue7, pp. 394-397

[5] Delaune S., Lin H. and Lynch C. [2007], Protocol Verification ViaRigid/Flexible Resolution, submitted

[6] Deshane T., Hu W., Jablonski P., Lin H., Lynch C. and McGregor R.E.[2007], Encoding First Order Proofs in SAT, To appear in 21st annualConference in Automated Deduction (CADE), Bremen (Germany)

[7] Dutertre B. and deMoura L. Yices. http://yices.csl.sri.com

[8] Een N. and Sorensson N. [2003], An Extensible Sat-Solver, In SAT, pp.502-518

[9] Goubault J. [1994], The Complexity of Resource-Bounded First-OrderClassical Logic, Lecture Notes In Computer Science, Proceedings of the11th Annual Symposium on Theoretical Aspects of Computer Science,Vol. 775, Springer-Verlag, pp. 59-70

[10] Hahnle R. [2001], Tableaux and Related Methods, in A. Robinson andA. Voronkov, eds, ’Handbook of Automated Reasoning’, Vol. 1, ElsevierScience, chapter 3, pp. 101-177

[11] Letz R. and Gernot S. [2001], Model Elimination and ConnectionTableau Procedures, in A. Robinson and A. Voronkov, eds, ’Hand-book of Automated Reasoning’, Vol. 2, Elsevier Science, chapter 28,pp. 2015-2113

[12] Nieuwenhuis R., Oliveras A. and Tinelli C. [2006] Solving SAT andSAT Modulo Theories: From an Abstract Davis-Putnam-Logemann-Loveland Procedure to DPLL(T). Journal of the ACM, 53(6), 937-977,November 2006.

[13] Sutcliffe G. and Suttner C.B. [1998], The TPTP Problem Library: CNFRelease v1.2.1, Journal of Automated Reasoning, Vol. 21, No. 2, pp.177-203

CC(X): Efficiently Combining Equality andSolvable Theories without Canonizers

Sylvain Conchon Evelyne Contejean Johannes Kanig

LRI, Université Paris-Sud, CNRS, INRIA Futurs, Orsay F-91405

Abstract

We present a generic congruence closure algorithm for deciding groundformulas in the combination of the theory of equality with uninterpreted sym-bols and a unionX of solvable theories. Our algorithmCC(X) is reminiscentof Shostak combination: it maintains a union-find data-structure moduloXfrom which maximal information about implied equalities can be directlyused for congruence closure.CC(X) diverges from Shostak approach bythe use of semantical values for class representatives instead of syntacticalcanonizers. This seemingly insignificant difference has strong impact on ef-ficiency and expressiveness. It also enforces to entirely rebuild the algorithmsince global canonization, which is at the heart of Shostak combination, isno longer feasible with semantical values.CC(X) has been implemented inOcaml and is at the core of Ergo, a new automated theorem prover dedicatedto program verification.

1 Introduction

Combining decision procedures for the quantifier-free theory of equality over un-interpreted function symbols (E) and other theories is at the core of a number ofverification systems. For instance, problem divisions of the SMT competition [4]include the combinations ofE and the linear arithmetics over the integers;E andthe theory of arrays etc.

There are two main paradigms for combining theories: The Nelson-Oppencombination procedure [3] and the Shostak’s algorithm [6, 5]. The former proce-dure is very general: it applies to disjoint stably-infinitetheories that communicateby an equality propagation mechanism between shared variables. However, quot-ing Shankar from [5], this method “has some disadvantages”.Indeed, the theoryE has no particular status in this approach and its combination amounts to imple-menting a specific decision procedure with the ability to infer and communicate allnew implied equalities, which can be very expensive.

On the contrary, Shostak’s method has been specifically designed for combin-ing E with (a smaller class of) solvable and canonizable theories. Again quotingShankar [5], “Shostak’s algorithm tries to gain efficiency”, when it is applicable.

It is based on an extension of a congruence closure algorithmthat maintains apartition of terms within a table (reminiscent of a union-find data structure) map-ping terms to representatives. Roughly speaking, a run of this algorithm consists intransforming equations into substitutions usingsolvers, then applying substitutionsto representatives and reducing the latter to normal forms by the use ofcanonizersso that new equations can be directly drawn from the table.

A central point for this method to be effective is that representatives have tobe themselvesterms. As a consequence, the main operations of the algorithm,substitution application, normal form reduction and equation resolution, have tobe directly implemented on term data structures, which is not the best efficientway of implementing a decision procedure1(e.g.a term data structure is obviouslynot optimal to manipulate polynomials). However, relaxingthis constraint hasstrong impacts on the design of the method. Indeed, bringinga representativeinto a normal form amounts to traversing itssyntactic structurefor applying thecanonizers on interpreted subterms. Thisglobal canonizationis at the heart of themethod and it also guarantees the incrementality of the algorithm.

In this paper, we present an algorithm, calledCC(X) (for congruence closuremoduloX), which combines the theoryE with a unionX of solvable theories with-out using canonizers. This algorithm is presented as a set oftwo inference rules. Itusesabstract valuesas representatives allowing efficient data structures for substi-tution and normalization operations. Since global canonization is no longer possi-ble, incrementality of the algorithm is not obtained for free. We thus present a newincremental technique whose main originality is that it is clearly separated fromthe congruence closure part of the system: two extra rules are added to the systemwhile keeping the original set intact.

As a last remark, as shown in [2], solvers for first order theories almost nevercombine. However, while this is out of the scope of this paper, we claim thatsolvers fortyped theories(under certain restrictions) can be combined. Therefore,CC(X) sticks with the original spirit of Shostak’s method by combining the theoryE with only onetheoryX. We will be briefly discuss this point at the end of thepaper.

2 Congruence Closure ModuloX

In this section, we present an extension of a congruence closure algorithm capableof combining the theory of equality with uninterpreted function symbols and an-other theoryX that underlies certain restrictions. In the rest of this paper,Σ denotesthe set of all symbols, including interpreted and uninterpreted symbols.

1It is also good to note that this constraint is not imposed by the Nelson-Oppen approach.

2.1 The TheoryX

While solvers and canonizers of Shostak theories operate onterms directly, thetheoryX we are about to introduce works on a certain setR , whose elements arecalledsemantical values. The main particularity is that we don’t know the exactstructure of these values, only that they are somehow constructed out of terms.To compensate, we dispose of two functions[·] : T(Σ) → R and leaves: R →P f (T(Σ)) which are reminiscent of the variable abstraction mechanism found inNelson-Oppen method:

Definition 2.1 We call a theoryX a tuple(ΣX,R ,=X ), whereΣX ⊆ Σ is the set offunction symbols interpreted byX, R is a set (of semantical values) and=X is acongruence relationover terms, =X⊆ T(Σ)×T(Σ). Additionally, a theoryX hasthe following properties:

• There is a function[·] : T(Σ) → R to construct a semantical value out ofa term. For any set E of equations between terms we write[E] for the set{[x] = [y] | x = y∈ E}.

• There is a function leaves: R → P f (T(Σ)), where the elements ofP f (T(Σ))are finite sets of terms. It returns the set of maximal uninterpreted terms agiven semantical value consists of.

• There is a function subst: T(Σ)×R ×R → R . Instead of subst(p,P, r) wewrite r{p 7→ P}. The pair(p,P) is called asubstitutionand subst(p,P, r) istheapplicationof a substitution to r.

• There is a (partial) function solve: R ×R → T(Σ)×R .

• Let ER be the set of equations between elements ofR . There is a rela-tion |=⊂ P (ER )×R ×R whose intention is the following: If the equalitiese1, . . . ,en ∈ ER imply that r1 equals r2, we write{e1, . . . ,en} |= r1 = r2. For/0 |= e we write|= e.

As we will often talk about successive substitutions, we define an auxiliaryfunction that does just that:

Definition 2.2 There is a function iter: P (R ×R )×R → R that applies substsuccessively in the following way:

iter( /0, r) = riter((r1, r2)⊎S, r3) = r ′3{p 7→ P}

wherer ′i = iter(S, r i) and(p,P) = solve(r ′1, r′2).

In addition to definition 2.1, a theoryX must fulfill the following axioms:

Axiom 2.3 For any r1, r2,P∈ R , p∈ T(Σ),

solve(r1, r2) = (p,P) ⇒ r1{p 7→ P} ≡ r2{p 7→ P} .

Axiom 2.4 [E] |= [u] = [v] ⇒ u =E,X v, where=E,X denotes the equational theorydefined by E∪X.

Axiom 2.5 For any S∈ P (R ×R ) and any r∈ R , we have S|= iter(S, r) = r.

Let us explain this a little bit. First of all, as we will see insection 2.2, the algo-rithm establishes and maintains equivalence classes over terms. Every equivalenceclass is labeled by an element of the setR ; a function∆ : T(Σ) → R is main-tained that for each term returns its current label. The function solve is capableof solving an equation between two elements ofR , that is, it transforms an equa-tion r1 = r2 for r1, r2 ∈ R into the substitution(p,P), with p∈ T(Σ) andP∈ R ,where the termp is now isolated. Axiom 2.3 makes sure that such a substitutionrenders equal the two semantical valuesr1 andr2, which are at theorigin of thissubstitution. Finally,R comes also with a notion ofimplication of equalities, therelation|=. Axiom 2.4 just states that, if a set[E] of equations between semanticalvalues implies an equation[u] = [v], thenu =E,X v, that is, an equality on the theoryside implies an equality between corresponding terms. The last axiom states thatiterated substitutioniter behaves well with respect to this implication relation: Ifr ′

has been obtained fromr by iterated substitution, then the equations at the originof these substitutions imply the equalityr ′ = r (axiom 2.5).

As a last remark, we have given the interface of a theoryX in a slightly lessgeneral fashion as was possible: depending on the theory, the functionsolvemay aswell return alist of pairs(pi ,Pi) with pi ∈ T(Σ),Pi ∈ R . It becomes clear why wecall this a substitution: thepi can be seen as variables, that, during the applicationof a substitution, are replaced by a certain (theory) term. However, for the examplepresented in the next section,solvealways returns a single pair, if it succeeds at all.Thus, we will stick with the simpler forms ofsolveandsubst.

The following proposition is a simple, but useful, consequence of the axiomsstated above. It will be used in the soundness proof. It simply states that, if seman-tical values constructed with[·] are equal, the original terms were already equalwith respect toX.

Proposition 2.6 For any terms x,y∈ T(Σ), [x] ≡ [y] ⇒ x =X y.

2.2 The Algorithm CC(X)

The algorithm works on tuples (configurations) 〈 Γ | ∆ | Φ 〉, whereΓ is a mappingfrom semantical values to sets of terms,∆ a mapping from terms to semanticalvalues andΦ a set of equations between terms. Given the input setE of equationsand a query (an equation)Q for which we want to solve the word problem, thealgorithm starts in an initial configurationK0 = 〈 ΓE,Q | ∆0 | E 〉, where∆0(t) = [t]for all t ∈ T(Σ). Let TE,Q be the set of all terms and subterms that occur inE or Q.ΓE,Q, intuitively, maps each semantical value to the terms that contain it directly, itis defined as follows:

ΓE,Q(r) = { f (t1, . . . , tn) ∈ TE,Q | ∃t. t ∈ leaves([ti ]) andr = [t] for somei} .

CONGR〈 Γ | ∆ | {a = b}⊎Φ 〉

〈 Γ⊎Γ′ | ∆′ | Φ′∪Φ 〉∆(a) 6= ∆(b)

where,(p,P) = solve(∆(a),∆(b))

∆′(l) 7→ Γ(∆′(l))Γ′ =[

l∈leaves(P)

∪Γ([p])

∀t ∈ T(Σ),∆′(t) := ∆(t){p 7→ P}

Φ′ =

f (~u) = f (~v)

∣

∣

∣

∣

∣

∣

f (~u) ∈ Γ([p])f (~v) ∈ Γ([p])∪

S

t|p∈leaves(∆(t))S

l∈leaves(∆′(t)) Γ(∆′(l))∆′(~u) ≡ ∆′(~v)

REMOVE〈 Γ | ∆ | {a = b}⊎Φ 〉

〈 Γ | ∆ | Φ 〉∆(a) ≡ ∆(b)

Figure 1: The rules of the congruence closure algorithmCC(X)

In Figure 1, we describe our algorithmCC(X) as two inference rules operatingon configurations. At any time,Φ represents the equations that still have to betreated,∆ denotes the structure that can tell us if two terms are known to be equal(it can be seen as thef ind function of a union-find data structure), andΓ stocks theinformation of what terms have to be considered for congruence. The semanticalvalue∆(t), for t ∈ T(Σ) is also calledrepresentativeof t. Figure 1 also uses an ab-breviation: We sometimes write~u for u1, . . . ,un, wheren is clear from the context.We also write∆(~u) ≡ ∆(~v) for the equivalences∆(u1) ≡ ∆(v1), . . . ,∆(un) ≡ ∆(vn).If t1 ∈ Γ(∆(t2)) for t1, t2 ∈ T(Σ), we also sayt1 is used by t2, or t2 uses t1.

We now have all the necessary elements to understand the rules. We first ex-plain the second rule, because it is simpler: REMOVE just chooses an equation inΦ, checks if it is already known to be true (by the help of∆), and, if this is the case,discards it.

The rule CONGR is more complex. It also chooses an equation inΦ, one that isnot already known to be true. This equationa = b with a,b∈ T(Σ) is transformedinto an equation inR , ∆(a) = ∆(b), and then solved in the theoryX, which yieldsa term p and a semantical valueP. The termp is then substituted byP in allrepresentatives. Then,Γ is updated according to these substitutions: the terms thatusedp before now also use all the termst ∈ leaves(P). Finally, a setΦ′ of newequations is calculated, which is added to the setΦ of the equations to be treated.The setΦ′ is calculated in the following way: The left hand side of any equationin Φ′ is a term that usedp, and the right hand side is either a term that usedp, ora term that used a terml ∈ leaves(∆′(t)) for a termt for which p∈ leaves(∆(t)).

this rather complicated condition assures that only concerned terms are consideredfor congruence. As the name implies, the CONGR rule will only add equations ofthe form f (t1, . . . , tn) = f (t ′1, . . . , t

′n), where the corresponding subterms are already

known to be equal:∆′(ti) ≡ ∆′(t ′i ), 1≤ i ≤ n.

2.3 Incrementality

The backtracking search underlying the architecture of SMTsolver enforces an in-cremental treatment of the set of ground equations. Indeed,for efficiency reasons,equations are given one by one by the SAT solver to decision procedures whichprevent them from realizing a global preliminary treatment, unless restarting thecongruence closure from scratch.

We present in this section an incremental version of our algorithm where thesetΦ is now considered as a sequence of equations and queries between closed

terms. A queryu?= v of Φ is valid if and only if u =Φ′ v whereΦ′ is the set of

equations ofΦ occurringbeforethe query. Taking the sequential aspect ofΦ intoaccount amounts to replace the union of sets (∪ and⊎) by a sequence operator ;for the third component of the configurations in the rules CONGR and REMOVE offigure 1.

In the sequential case,TΦ is not known at the beginning of the algorithm. HenceΓΦ is empty at the beginning and it has to be constructed step by step from thesequenceΦ. However, this is not sufficient. Indeed, suppose for instance thatΦ isthe sequencea = b; f (a) = t; f (b) = u. Then, the instanceCC(Empty)2 will failto prove thatt = u since the equalitya = b is processed too early, whenf (a) andf (b) are not yet in the structureΓ, thus preventing the congruence closure.

This problem is fixed by the rule ADD, described in figure 2, which determinesthe new equalities that can be propagated by congruence whenprocessing a newterm. For example, processing the termf (b) in f (b) = u will updateΓ and addf (a) = f (b) to Φ which will eventually trigger the CONGR rule. We also add anextra rule QUERY to validate queries.

3 Example

In this section, we present the theory of linear arithmetic over the rationals as aninteresting example of instantiation ofCC(X). This theory corresponds to the tuple({+,−,/,×,succ,0} ,R ,=A) with the following remarks:

• The interpreted function symbols are+,−,/,×,succand 0.

• The semantical values are polynomials of the form

c0 +n

∑i=1

citi , ci ∈ Q, ti ∈ T(Σ),ci 6= 0.

2whereEmpty stands for the empty theory.

ADD〈 Γ⊎∪v∈~a{∆(v) 7→ Cv} | ∆ | C[ f (~a)];Φ 〉

〈 Γ′ | ∆ | Φ′;C[ f (~a)];Φ 〉Γ(∆( f (~a))) = ⊥

whereC[ f (~a)] denotes an equation or a query containing the termf (~a)

with

Γ′ = Γ∪ ([ f (~a)] 7→ {})∪{∆(l) 7→ { f (~a),Γ(∆(l))} | l ∈ L(∆(~a))}

Φ′ ={

f (~a) = f (~b)∣

∣

∣ ∃l ∈ L∆(~a). f (~b) ∈ Γ′(∆(l)) and∆(~a) = ∆(~b)}

whereL∆(~a) =S

v∈~a leaves(∆(v))

QUERY〈 Γ∪{∆(a) 7→ A ,∆(b) 7→ B} | ∆ | a

?= b;Φ 〉

〈 Γ∪{∆(a) 7→ A ,∆(b) 7→ B} | ∆ | Φ 〉∆(a) = ∆(b)

Figure 2: Adding Incrementality

From an implementation point of view, these polynomials canbe representedas pairs where the left component representsc0 and the right componentis a map from terms to rationals that represents the sum∑n

i=1 citi. In therest of the example, these semantical values are simply written in standardmathematical notation, for the sake of readability.

• =A is just the usual equality over the rational expressions.

The functions needed by the algorithm are defined as follows:

• The function[·] interprets the above function symbols as usual and constructspolynomials accordingly.

• The function leaves just returns the set of all the base termsin the polyno-mial:

leaves

(

c0 +n

∑i=1

citi

)

= {ti | 1≤ i ≤ n} .

• For the termt and the polynomialsp1, p2, subst(t, p1, p2) replaces the termt by the polynomialp1 in p2, if t occurs inp2.

• For two polynomialsp1, p2 ∈R , solve(p1, p2) is simply the Gauss algorithmthat solves the equationp1 = p2 for a certain term occurring inp1 or p2.

• |= is again just the entailment relation in linear arithmetic.

If we admit the soundness of the[·] function and the Gauss algorithm used insolve, the axioms that need to hold are trivially true.

Theorem 3.1 The functions defined above satisfy the axioms 2.3 - 2.5.

We now want to show the execution of the non-incremental algorithm by anexample in arithmetic. Consider therefore the set of equations

E = {g(x+k) = a,s= g(k),x = 0}

and we want to find out if the equations= a follows. The algorithm will start ina configuration〈 ΓE,Q | ∆0 | E 〉, where∆0 is is defined as usual andΓE,Q is thefollowing function, defined for all the terms occurring inE or the query:

[t] ΓE,Q([t])x {x+k,g(x+k)}a /0k {x+k,g(k),g(x+k)}s /00 /0g(k) /0g(x+k) /0x+k g(x+k)

The application of the CONGR rule to the first equationg(x+ k) = a yieldsK1 = 〈 Γ1 | ∆1 | Φ1 〉. solvehas to solve the equationg(x+k) = a and just returns(for example)p = g(x+ k) andP = a. ∆1 is updated to∆1(g(x+ k)) = a, but isotherwise left unchanged w.r.t.∆0. As ΓE,Q([p]) = ΓE(g(x+ k)) = /0, Γ1 = ΓE,Q

andΦ1 = E\{g(x+k) = a}.The next equation to be treated iss= g(k). The resulting tupleK2 = 〈Γ2 |∆2 |Φ2 〉

again does not change, with the exception that∆2(s)= g(k) andΦ2 = Φ1\{s= g(k)}.The interesting equation isx = 0. The following table shows the changes be-

tween∆2 and∆3, knowing thatp = x andP = 0:

t ∆2(t) ∆3(t) ≡ ∆2(t){x 7→ 0}x x 0g(x+k) a as g(k) g(k)x+k x+k k

It is important to see, that the representative ofx+ k has changed, even if theterm was not directly involved in the equation that was treated. We also haveΓ3(0) = {x+k,g(x+k)}, that means, 0 is now used by the same terms asx. Fi-nally, new equations are added. Recall that the set of new equations is calculatedin the following way (p has been replaced byx):

Φ′ =

f (~u) = f (~v)

∣

∣

∣

∣

∣

∣

f (~u) ∈ Γ([x]),f (~v) ∈ Γ([x])∪

S

t|x∈leaves(∆(t))S

l∈leaves(∆′(t)) Γ(∆′(l)),∆′(~u) ≡ ∆′(~v)

To calculate this set, we first collect the terms that usex:

Γ2([x]) = ΓE,Q([x]) = {x+k,g(x+k)} .

The elements ofΓ2([x]) are potential lhs of new equations. To calculate the set ofpotential rhs, we first construct the set of termst such that the representative oftcontainsx:

{t | x∈ leaves(∆2(t))} = {x,x+k} ,

and, for every termt in this set, we calculateleaves(∆3(t)) and merge all these sets,which gives

[

t|x∈leaves(∆2(t))

leaves(∆3(t)) = {0,k}

and, if for each terml in this set, we calculateΓ2([l ]) and merge these sets, weobtain

[

t|x∈leaves(∆2(t))

[

l∈leaves(∆3(t))

Γ2([l ]) = {x+k,g(k),g(x+k)} .

If we cross this set with the setΓ2([x]) and filter the equations that are not congru-ent, we obtain three new equalities

Φ3 = {x+k = x+k,g(x+k) = g(x+k),g(x+k) = g(k)} .

The first two equations get immediately removed by the REMOVE rule. After treat-ment of the last one, without explicitly writing all the steps down, we will obtainthat ∆4(t) ≡ g(k) ≡ ∆4(a), which lets us conclude thats = a is indeed a conse-quence ofE.

4 Implementation

An efficient Ocaml implementation ofCC(X) exists and is at the heart of the Ergoautomated theorem prover [1]. This implementation uses only purely functionaldata-structures and directly follows the three inference rules presented so far.

In order to check the scalability of our algorithm, we benchmarked Ergo andthree others provers on our test suite: 1349 verification conditions automaticallygenerated by the VCG Caduceus/Why from 61 C programs. They were run witha fixed timeout of 20s on a machine with Xeon processors (3.20 GHz) and 2 Gbof memory. For this benchmark,CC(X) is instantiated with the theory of lineararithmetic.

As shown by the results in Figure 3, the current experimentations are verypromising with respect to speed and to the number of goals automatically solved.However, the benchmarks also contain logical connectives and quantifiers, not han-dled byCC(X). So, strictly speaking, Figure 3 only proves thatCC(X) is suffi-ciently fast to let Ergo compete with Yices and Simplify.

valid timeout unknownSimplify 98% 1% 1%Yices 95% 2% 3%Ergo 95% 4% 1%CVC-Lite 67% 30% 3%

Figure 3: Comparison between Ergo, Simplify, Yices and CVC-Lite on 1349 veri-fication conditions.

5 Conclusion and Future Works

We have presented a new algorithmCC(X) which efficiently combines the the-ory of equality over uninterpreted function symbols with solvable theories. Ourmethod is reminiscent of Shostak’s algorithm. Its main novelty rests on the useof abstract data structures for class representatives thatallows efficient implemen-tations of crucial operations. The soundness proof of our algorithm is given inappendix. Its completeness is current work; obviously, this will require some ad-ditional assumptions on the theoryX which may be expressed as properties of thefunctions given in Definition 2.1.

CC(X) has been implemented in Ocaml as a functor parameterized by atheorymodule whose signature is the one given in section 2.1.CC(X) is at the core of theErgo theorem prover. Since practice often arrives before theory, a number of extrafeatures ofCC(X) have already been implemented in Ergo. We leave for futurework their formalization and correctness proofs:

• A functor CombineX(X1,X2) combines two theory modulesX1 andX2, al-lowing CC(X) to combine several solvable theories. This combination onlyworks for (polymorphic) typed theories under certain restrictions.

• Predicate symbols are already handled byCC(X). Their treatment smoothlyintegrate to the all framework.

• CC(X) has been instrumented to produce explications so that the SAT solverpart of Ergo can benefit from them for its backjumping mechanism.

Another direction is to “prove the prover” in a proof assistant. Indeed, Ergouses only purely functional data-structures, is highly modular and very concise (∼3000 lines of code). All these features should make a formal certification feasible.

References

[1] S. Conchon and E. Contejean. The Ergo automatic theorem prover. http://ergo.lri.fr/.

[2] S. Krstic and S. Conchon. Canonization for disjoint unions of theories. Infor-mation and Computation, 199(1-2):87–106, May 2005.

[3] G. Nelson and D. C. Oppen. Simplification by cooperating decision proce-dures.ACM Trans. on Programming, Languages and Systems, 1(2):245–257,Oct. 1979.

[4] S. Ranise and C. Tinelli. The Satisfiability Modulo Theories Library (SMT-LIB). http://www.SMT-LIB.org, 2006.

[5] H. Rueß and N. Shankar. Deconstructing shostak. InLICS ’01: Proceedingsof the 16th Annual IEEE Symposium on Logic in Computer Science, page 19,Washington, DC, USA, 2001. IEEE Computer Society.

[6] R. E. Shostak. Deciding combinations of theories.J. ACM, 31:1–12, 1984.

A Correctness Proof ofCC(X)

We now proceed to prove the correctness of the algorithm. Forthe proof, we needan additional information about the run of an algorithm, that is not contained in aconfiguration: the setO of equations that have already been treated in a CONGR

rule.The first proposition shows that the equations that are already treated are never

contradicted by∆.

Proposition A.1 For any configuration 〈 Γ | ∆ | Φ 〉 and for all t1, t2 ∈ T(Σ) wehave: t1 = t2 ∈ O⇒ ∆(t1) ≡ ∆(t2).

The next proposition shows that∆ coincides with the functioniter, applied tothe equations that have already been treated.

Proposition A.2 For any configuration〈 Γ | ∆ | Φ 〉 and for all t∈ T(Σ) we have:∆(t) = iter([O] , [t]).

The next proposition states that the evolution of the representative of a term isalways justified by the equations that have been treated:

Proposition A.3 For any configuration〈 Γ | ∆ | Φ 〉 and for all t∈ T(Σ) we have:[O] |= ∆0(t) = ∆(t).

This is the main lemma: It basically states the soundness of∆, crucial for thesoundness of the whole algorithm.

Lemma A.4 For any configuration〈 Γ | ∆ | Φ 〉 and for all t1, t2 ∈ T(Σ), we have:

∆(t1) ≡ ∆(t2) ⇒ t1 =X,O t2.

We are now ready to state the main soundness theorem: whenever two termshave the same representative, they are equal w.r.t. the equational theory defined byE andX, and every newly added equation is sound as well. For the soundness ofthe algorithm, we are only interested in the first statement,but we need the secondto prove the first, and the statements have to be proved in parallel by induction.

Theorem A.5 For any configuration〈 Γ | ∆ | Φ 〉, we have:

∀t1, t2 ∈ T(Σ) : ∆(t1) ≡ ∆(t2) ⇒ t1 =X,E t2∀t1, t2 ∈ T(Σ) : t1 = t2 ∈ Φ ⇒ t1 =X,E t2.

Proof. We prove the two claims simultaneously by induction on the application ofthe rules CONGR and REMOVE. First, we observe that both claims are true for theinitial configurationK0: The second claim is trivial asΦ = E, and the first claim istrue because of proposition 2.6, as in the proof of lemma A.4.

In the induction step, we consider the last rule applied to the configuration〈 Γ | ∆ | Φ 〉, and show that the claims still hold in the configuration obtained byapplication of that rule. For the rule REMOVE this is actually trivial, as∆ does notchange andΦ does not get any new equalities added.

Thus, we assume that the last rule applied was a CONGR rule. We started froma configuration 〈 Γ | ∆ | {a = b}∪Φ 〉, and we have to prove the two claims forthe configuration〈 Γ′ | ∆′ | Φ′∪Φ 〉, with Γ′,∆′,Φ′ defined as in figure 1. We startby proving the first claim, because it is needed to prove the second.

We assume∆′(t1) ≡ ∆′(t2). By lemma A.4, we havet1 =X,O,a=b t2. Now, a = bis obviously an element of the set{a = b}∪Φ, so that, by induction hypothesis,a =X,E b. By the induction hypothesis and proposition A.1, for anyai = bi ∈ O wehave alsoai =X,E bi . As =X,E is a congruence relation, we can concludet1 =X,E t2.

For the second claim, we have to show that

∀t1, t2 ∈ T(Σ), t1 = t2 ∈ Φ′∪Φ ⇒ t1 =X,E t2.

If t1 = t2 ∈ Φ, we can conclude by induction hypothesis. Ift1 = t2 ∈ Φ′, thent1 ≡ f (~a) andt2 ≡ f (~b) for a function symbolf of arity n and two vectors of terms~a and~b of lengthn. The conditions in figure 1 guarantee that∆′(ai) ≡ ∆′(bi) forany 1≤ i ≤ n. By the first claim, we can state thatai =X,E bi (1≤ i ≤ n) and by the

congruence property of=X,E we havef (~a) =X,E f (~b), which proves the claim.

2

E-matching for Fun and Profit

Micha l Moskal∗

Jakub LopuszanskiUniversity of Wroc law, Poland

Joseph R. KiniryUniversity College Dublin, Ireland

Abstract

Efficient handling of quantifiers is crucial for solving software verification problems.E-matching algorithms are used in satisfiability modulo theories solvers that handlequantified formulas through instantiation. Two novel, efficient algorithms for solv-ing the E-matching problem are presented and compared to a well-known algorithmdescribed in the literature.

1 Motivation

Satisfiability Modulo Theories (SMT) checkers usually operate in the quantifier-free frag-ments of their respective logics. Yet program verification problems often require expres-siveness and flexibility in extending the underlying background theories with universallyquantified axioms. The typical solution to this problem is to generate ground instancesof the quantified subformulas during the course of the proof search and hope that theparticular instances generated are the ones required to prove unsatisfiability.

As an example, consider the following formula, which we try to satisfy modulo lineararithmetic and uninterpreted function symbols theories:

P (f(42)) ∧ ∀x. P (f(x)) ⇒ x < 0

If the prover were able to guess the implication:

(∀x. P (f(x)) ⇒ x < 0) ⇒ P (f(42)) ⇒ 42 < 0

then, by boolean unit resolution (with the currently known facts P (f(42)) and ∀x. P (f(x)) ⇒x < 0), the prover would try to assert 42 < 0, which would cause contradiction in thelinear arithmetic decision procedure.

The tricky part is how to figure out which instances are going to be useful. A well-known [6] solution is to designate subterms occurring in the quantified formula calledtriggers, and only add instances that make those subterms equal to ground subterms thatare currently being considered in the proof. In our example one such trigger is P (f(x)),which works as expected.

However it is often not enough to consider only syntactic equality. If we modify ourexample a little bit:

a = f(42) ∧ P (a) ∧ ∀x. P (f(x)) ⇒ x < 0∗Partially supported by Polish Ministry of Science and Education grant 3 T11C 042 30.

then our choice of trigger no longer works. We could use a less restrictive trigger (namelyf(x)), but such a trigger leads to generating excessive, irrelevant instances, which reducesthe efficiency of the prover. We therefore use a different technique: instead of usingsyntactic equality, use the equality relation induced by the current context. For example:in the context P (a), a = f(42) the substitution [x := 42] makes the term P (f(x)) equalto P (a).

Because we do not consider boolean formulas terms, it is sometimes not possible todesignate a single trigger containing all the variables that are quantified. A classicalexample is the transitivity axiom. In such a case we use a multitrigger, which is a set oftriggers, hopefully sharing variables, that are supposed to match simultaneously.

There are two remaining problems here: identifying the set of triggers for a givenformula, and identifying the substitutions that make the trigger equal to some groundterm. As for the first problem, it is possible to apply heuristics1, as well as ask the userto provide the triggers. The second problem is E-matching. We present a well-knownalgorithm for solving it (Sect. 3), introduce two other, efficient algorithms (Sect. 4 and 5)and compare them to the well-known one.

2 Definitions

Let V be the infinite, enumerable set of variables. Let Σ be the set of function and constantsymbols. Let T be the set of first order terms constructed over Σ and V.

A substitution is a function σ : V → T that is not identity for a finite number ofparameters. We identify a substitution with its homomorphic extension to all terms (i.e.,σ : T → T ). Let S be the set of all substitutions.

We will use letters x and y, possibly with indices for variables, f and g for functionsymbols, c and d for constant symbols (functions of arity zero), σ and ρ for substitutions,t for ground terms, and p for possibly non-ground terms. We will use the notation [x1 :=t1, . . . , xn := tn] for substitutions, and σ[x := t] for a substitution augmented to return tfor x.

An instance of an E-matching problem2 consists of a finite set of active ground termsA ⊆ T , a relation ∼=g ⊆ A × A, and a finite set of non-variable, non-constant termsp1, . . . , pn, which we call the triggers. Let ∼= ⊆ T × T be the smallest congruence relationcontaining ∼=g. Let root : T → T be a function3 such that:

(∀t, s ∈ T . root(t) = root(s) ⇔ t ∼= s) ∧ (∀t ∈ T . root(t) ∼= t)

The solution to the E-matching problem is the set:

T ={

σ

∣∣∣∣ ∃t1, . . . , tn ∈ A. σ(p1) ∼= t1 ∧ . . . ∧ σ(pn) ∼= tn,∀x ∈ V. σ(x) = root(σ(x))

}The problem of deciding for a fixed A and ∼=g, and a given trigger, if T 6= ∅, is NP-

hard [10]. The NP-hardness is why each solution to the problem is inherently backtrackingin nature. In practice, though, the triggers that are used are small, and the problem isnot the complexity of a backtracking search for a particular trigger, but rather the fact

1Some heuristics are described in the Simplify technical report [6].2In automated reasoning literature, the term E-matching usually refers to a slightly different problem,

where A is a singleton and ∼= is not restricted to be finitely generated. On the other hand the Simplifytechnical report [6] as well as the recent Z3 paper [5] use the term E-matching in the sense defined above.

3Such a function exists by virtue of ∼= being equivalence relation, and is provided by the typical datastructure used to represent ∼=, namely the E-graph (see Simplify technical report [6] for details on E-graph).

fun simplify match([p1, . . . , pn])R := ∅proc match(σ, j)

if j = nil then R := R ∪ {σ}else case hd(j) of

(c, t) ⇒ /∗ 1 ∗/if c ∼= t then match(σ, tl(j))else skip

(x, t) ⇒ /∗ 2 ∗/if σ(x) = x then match(σ[x := root(t)], tl(j))else if σ(x) = root(t) then match(σ, tl(j))else skip

(f(p1, . . . , pn), t) ⇒ /∗ 3 ∗/foreach f(t1, . . . , tn) in A do

if t = ∗ ∨ root(f(t1, . . . , tn)) = t thenmatch(σ, (p1, root(t1)) :: . . . :: (pn, root(tn)) :: tl(j))

match([], (p1, ∗) :: . . . :: (pn, ∗) :: nil) /∗ 4 ∗/return R

Figure 1: Simplify’s matching algorithm

that in a given proof search there are often hundreds of thousands of matching problemsto solve.

3 Simplify’s Matching Algorithm

The Simplify technical report [6] describes a recursive matching algorithm simplify matchgiven in Fig. 1. The symbol :: denotes a list constructor, nil is an empty list and [] is anempty (identity) substitution. hd and tl are the functions returning, respectively, headand tail of a list (i.e., hd(x :: y) = x and tl(x :: y) = y). The command skip is a no-op.

The simplify match algorithm maintains the current substitution and a stack (imple-mented as a list) of (trigger, ground term) pairs to be matched. We refer to these pairsas jobs. Additionally, it uses the special symbol ∗ in place of a ground term to say thatwe are not interested in matching against any specific term, as any active term will do.

We start (line marked /∗ 4 ∗/) by putting the set of triggers to be matched on the stackand then proceed by taking the top element of the stack.

If the trigger in the top element is a constant (/∗ 1 ∗/), we just compare it against theground term, and if the comparison succeeded, recurse.

If the trigger is a variable x (/∗ 2 ∗/), we check if the current substitution alreadyassigns some value to that variable, and if so, we just compare it against the ground termt. Otherwise, we extend the current substitution by mapping x to t and recurse. Observethat t cannot be ∗ because we do not allow triggers to be single variables.

If the trigger is a complex term f(p1, . . . , pn) (/∗ 3 ∗/), we iterate over all the termswith f in the head (possibly checking if they are equivalent to the ground term we aresupposed to match against), construct the set of jobs matching respective children of thetrigger against respective children of the ground term, and recurse.

The important invariants of simplify match are: (1) the jobs lists contain stars insteadof ground terms only for non-variable, non-constant triggers; (2) all the ground terms t in

fun fetch(S, t, p)if S = > then return {[p := root(t)]}else if S = × ∧ t ∼= p then return {[]}else if S = × then return ∅else return S(root(t))

fun match(p)case p of

x ⇒ return >c ⇒ return ×f(p1, . . . , pn) ⇒

foreach i in 1 . . . n do Si = match(pi) /∗ 1 ∗/if ∃i. Si = ⊥ then return ⊥ /∗ 2 ∗/if ∀i. Si = × then return × /∗ 3 ∗/S := {t 7→ ∅ | t ∈ A}foreach f(t1, . . . , tn) in A do /∗ 4 ∗/

t := root(f(t1, . . . , tn))S := S[t 7→ S(t) t (fetch(S1, t1, p1) u . . . u fetch(Sn, tn, pn))]

if ∀t. S(t) = ⊥ then return ⊥else return S

fun topmatch(p) /∗ 5 ∗/S := match(p)return

⊔t∈A S(t)

fun subtrigger match([p1, . . . , pn])return topmatch(p1) u . . . u topmatch(pn)

Figure 2: Subtrigger matching algorithm

the job lists satisfy root(t) = t.The detailed discussion of this procedure is given in the Simplify technical report [6].

4 Subtrigger Matcher

This section describes a novel matching algorithm, optimized for linear triggers. A lineartrigger is a trigger in which each variable occurs at most once. Most triggers used inthe program verification problems we have inspected are linear. The linearity meansthat matching problems for subterms of a trigger are independent, which allows for moreefficient processing.

However, even if triggers are not linear, it pays off to treat them as linear, and onlyafter the matching algorithm is complete discard the resulting substitutions that assigndifferent terms to the same variable. This technique is often used in term indexes [12]used in automated reasoning. The algorithm, therefore, does not require the trigger to belinear.

This matcher algorithm is given in Fig. 2. It uses operations u and t, which are definedon sets of substitutions:

A uB = {σ ⊕ ρ | σ ∈ A, ρ ∈ B, σ ⊕ ρ 6= ⊥}A tB = A ∪B

σ ⊕ ρ ={⊥ when ∃x. σ(x) 6= x ∧ ρ(x) 6= x ∧ σ(x) 6= ρ(x)σ · ρ otherwise

σ · ρ(x) ={

σ(x) when σ(x) 6= xρ(x) otherwise

u returns a set of all possible non-conflicting combinations of two sets of substitutions. tsums two such sets. The next section shows an implementation of these operations thatdoes not use explicit sets.

The match(p) function returns the set of all substitutions σ, such that σ(p) ∼= t, for aterm t ∈ A, categorized by root(t). More specifically, match returns a map from root(t)to such substitutions, or one of the special symbols >, ⊥, ×. Symbol > means that p wasa variable x, and therefore the map is: {t 7→ {[x := t]} | t ∈ A, root(t) = t}, symbol ⊥represents no matches (i.e., {t 7→ ∅ | t ∈ A}), and × means p was ground, so the map is{root(p) 7→ {[]}} ∪ {t 7→ ∅ | t ∈ A, t 6= root(p)}4.

The only non-trivial control flow case in the match function is the case of a complextrigger f(p1, . . . , pn), which works as follows:

• /∗ 1 ∗/ recurse on subtriggers. Conceptually, we consider the subtriggers to be inde-pendent of each other (i.e., f(p1, . . . , pn) is linear). If they are, however, dependent,then the u operation filters out conflicting substitutions.

• /∗ 2 ∗/ check if there is any subtrigger that does not match anything, in which casethe entire trigger does not match anything.

• /∗ 3 ∗/ check if all our children are ground, in which case we are ground as well.

• /∗ 4 ∗/ otherwise we start with an empty result map S and iterate over all terms withthe correct head symbol. For each such term f(t1, . . . , tn), we combine (using t) thealready present results for root(f(t1, . . . , tn)) with results of matching pi against ti.The fetch function is used to retrieve results of subtrigger matching by ensuring thespecial symbols are treated as the maps they represent.

Finally (/∗ 5 ∗/) the topmatch function just collapses the maps into one big set.

4.1 S-Trees

The idea behind s-trees is to have a compact representation of sets of substitutions thatare efficiently manipulated during the matching.

The s-trees data structure itself can be viewed as a special case of substitution treesused in the automated reasoning [12] with rather severe restrictions on their shape. We,however, do not use the trees as an index and, in consequence, require a different set ofoperations on s-trees than those defined on substitution trees.

S-trees require a strict, total order ≺ ⊆ A × A and are defined inductively: (1) ε isan s-tree; (2) if T1, . . . , Tn are s-trees and t1, . . . , tn are ground terms, then x B ((t1, T1) ::. . . :: (tn, Tn) :: nil) is an s-tree.

4Here we assume all the ground subterms of triggers to be in A. This is easily achieved and does notaffect performance in our tests.

Figure 3: Example of s-tree operations

The invariant of the s-tree data structure is that in each node i < j ⇒ ti ≺ tj , andthat there exists a sequence of variables x1 . . . xk such that the root is x1 B (. . .) and eachnode (including the root) is xi B ((t1, xi+1 B (. . .)) :: . . . :: (tn, xi+1 B (. . .)) :: nil) orxk B ((t1, ε) :: . . . :: (tn, ε) :: nil) for some n, t1, . . . , tn and 1 ≤ i < k. In other words, thevariables at a given level of a tree are the same.

The yield function maps a s-tree into the set of substitutions it is intended to represent.

yield(ε) = {[]}

yield(x B ((t1, T1) :: . . . :: (tn, Tn) :: nil)) =

σ[x := ti]

∣∣∣∣∣∣i ∈ {1, . . . , n},σ ∈ yield(Ti)σ(x) = x ∨ σ(x) = ti

Example s-trees are given in Fig. 3. The trees are represented as ordered directed

acyclic graphs with aggressive sharing. An s-tree x B ((t1, T1) :: . . . :: (tn, Tn) :: nil) hasthe label x on the node, ti label the edges and each edge leads to another tree Ti. Theground symbol corresponds to the empty tree ε. E.g., the middle bottom one representsx B ((a, y B ((f(c), ε) :: (f(d), ε) :: nil)) :: (c, y B ((c, ε) :: nil)) :: nil), which yields{[x := a, y := f(c)], [x := a, y := f(d)], [x := c, y := c]}.

The t and u functions are defined so that yield is a homomorphism from s-trees tosets of substitutions.

ε u T = Tx B ((t1, T1) :: . . . :: (tn, Tn) :: nil) u T = x B ((t1, T1 u T ) :: . . . :: (tn, Tn u T ) :: nil)

ε t ε = εx B (X) t x B (Y ) = x B (aux(X, Y ))

aux((t, T ) :: X, (t′, T ′) :: Y ) =

(t, T t T ′) :: aux(X, Y ) t = t′

(t, T ) :: aux(X, (t′, T ′) :: Y ) t < t′

(t′, T ′) :: aux((t, T ) :: X, Y ) t′ < taux(nil,X) = Xaux(X, nil) = X

Figure 4: Example of an index for flat triggers with g in head

The u corresponds to stacking trees one on top of another, while t does a recursive merge.Example applications are given in Fig. 3.

The precondition of the t operator is that the operands have the same shape, mean-ing the x1 . . . xk sequence from the invariant is the same for both trees; otherwise, t isundefined. This precondition is fulfilled by the subtrigger matcher, since it only combinestrees resulting from matching of the same trigger, which means the variables are alwaysaccessed in the same order.

To change subtrigger match to use s-trees, we need to change the fetch function, toreturn p B ((root(t), ε) :: nil) instead of [p := root(t)], ε instead of {[]} and x B (nil)for some variable x instead of ∅. After this is done we only call yield at the very end, totransform s-tree into a set of substitutions.

5 Flat Matcher

During performance testing, we found that most triggers shared the head symbol andmatching them was taking a considerable amount of time. Moreover, the triggers hada very simple form: f(x, c)5. This form is a specific example of something we call flattriggers. A flat trigger is a trigger in which each variable occurs at most once and at adepth of one.

Flat triggers with a given head can be matched all at once by constructing a tree thatindexes all the triggers with given function symbol in the head. Such a tree can be viewedas a special kind of a discrimination tree [12], where we consider each child of the patternas a constant term, instead of traversing it pre-order.

We assume, without loss of generality, each function symbol to have only one ar-ity. A node in the index tree is either a set of triggers {p1, . . . , pn}, or a set of pairs{(t1, I1), . . . , (tn, In)}, where each of the ti is a ground term or a special symbol ∗, and Ii

are index trees.We call (t1, . . . , tn, p) a path in I if and only if: (1) n = 0 and p ∈ I; or (2) (t1, I ′) ∈ I

and (t2, . . . , tn, p) is a path in I ′.Let star(x) = ∗ for a variable x and star(t) = t, for any non-variable term t. We

say that I indexes a set of triggers Q if for any f(p1, . . . , pn) ∈ Q there exists a path(star(p1), . . . , star(pn), f(p1, . . . , pn)) in I, and for every path there exists a correspondingtrigger.

Given an index I, we find all the triggers that match the term f(t1, . . . , tn) by callingmatch′(f(t1, . . . , tn), (t1, . . . , tn), {I}), where match′ is defined as follows:

5The actual function symbol was a subtyping predicate in ESC/Java2’s object logic.

fun topmatch(p)if p is flat then

let f(p1, ..., pn) = pIf := index for all triggers with head fforeach p in If do Sp := ∅foreach f(t1, . . . , tn) in A do

foreach t 7→ T in match′(f(t1, . . . , tn), [t1, . . . , tn], If ) doSt := St t T

return Sp

elseS := match(p)return

⊔t∈A S(t)

Figure 5: Flat matcher

match′(t, (t1, . . . , tn), A) =match′(t, (t2, . . . , tn), {I ′ | I ∈ A, (p, I ′) ∈ I, p ∼= t1 ∨ p = ∗})

match′(f(t1, . . . , tn), nil, A) ={f(p1, . . . , pn) 7→ ui=1...n, pi∈V [pi := root(ti)] | I ∈ A, f(p1, . . . , pn) ∈ I}

The algorithm works by maintaining the set of trigger indices A containing triggers thatstill possibly match t. At the bottom of the tree we extract the children of t correspondingto variables in the trigger, skipping over ground subterms of the trigger.

A flat-aware matcher is implemented by replacing the topmatch function from Fig. 2with the one from Fig. 5. The point of using it, though, is to cache If and St across callsto subtrigger match.

6 Implementation and Experiments

We have implemented all three algorithms inside the Fx7 SMT checker6. Fx7 is imple-mented in the Nemerle language and runs on the .NET platform. In each case the im-plementation is highly optimized and only unsatisfactory results with the simplify matchalgorithm led to designing and implementing second and third algorithm.

The implementation makes heavy use of memoization. Both terms and s-trees useaggressive (maximal) sharing. The implementations of u and t memoize results. We alsouse subtraction operation on s-trees, corresponding to set subtraction. Its implementationlooks very much like t.

An important point to consider in the design of matching algorithms is incrementality.The prover will typically match, assert a few facts, and then match again. The prover isthen interested only in receiving the new results. The Simplify technical report [6] citestwo optimizations to deal with incrementality. We have implemented one of them, themod-time optimization, in all three algorithms. The effects are mixed, mainly because ourusage patterns of the matching algorithm are different than those of Simplify: we generallychange the E-graph more between matchings due to our proof search strategy.

To achieve incrementality we memoize s-trees returned on a given proof path and thenuse the subtraction operation to remove substitutions that had been returned previously.

6Available online at http://nemerle.org/fx7/.

Another fine point is that the loop over all active terms in the implementations ofall three algorithms skips some terms: if we have inspected f(t1, . . . , tn) then we skipf(t′1, . . . , t

′n) given that ti ∼= t′i for i = 1 . . . n. Following work on fast, proof-producing

congruence closure [11], we encode all the terms using only constants and a single bi-nary function symbol ·(. . .). E.g., f(t1, . . . , tn) is represented by ·(f, ·(t1, . . . · (tn−1, tn))).Therefore the loop over active terms is skipped when root(·(t1, . . .·(tn−1, tn))) was alreadyvisited.

We use a representation of terms, where only constants and a single binary functionsymbol (this is due to the fast, proof-producing congruence closure). If the term represen-tation used is based on a single binary function symbol and constants, it is easy to spotsuch cases.

Yet another issue is that we map all the variables to one special symbol during thematching, do not store the variable names in s-trees, and only introduce the names wheniterating the trees to get the final results (inside the yield function). This allows for moresharing of subtriggers between different triggers.

The test were performed on a 1 GHz Pentium III box with 512 MiB of RAM runningLinux and Nemerle r7446 on top of Mono 1.2.3. The memory used was always under 200MiB. We run the prover on a set of verification queries generated by the ESC/Java [9] andBoogie [2] tools. The benchmarks are now available as part of the SMT-LIB [13].

The flat matcher helps speed up matching by around 20% in the Boogie benchmarksand around 50% in the ESC/Java benchmarks. The flat matcher is around 2 times fasterthan Simplify’s matcher in the Boogie benchmarks and around 10 times in the ESC/Javabenchmarks.

Now we give some intuitions behind the results. For example, consider the triggerf(g1(x1), . . . , gn(xn)). If each of gi(xi) returns two matches, except for the last one whichdoes not match anything, the subtrigger matcher exits after O(n) steps, while the Simplifymatcher performs O(2n) steps. Even when gn(xn) actually matches something (which ismore common), the subtrigger algorithm still performs O(n) steps to construct the s-treeand only performs O(2n) steps walking that tree. These steps are much cheaper (as thetree is rather small and fits the CPU cache) than matching the gis several times, whichSimplify’s algorithm does. The main point of the subtrigger matcher is therefore not torepeat work for a given (sub)trigger more than once.

The benefits of the flat matcher seem to be mostly CPU cache-related. For example, atypical problem might have one hundred triggers with head f , and one thousand groundterms with the head f . The flat matcher processes a data structure (of size one hundred)one thousand times, while the subtrigger matcher (and also Simplify’s matcher) processesa different data structure (of size one thousand) one hundred times. Consequently, giventhese data structures occupy a considerable amount of memory, frequently the smallerdata structures in the former case fit the cache, while the larger ones in the latter case donot.

7 Conclusions and Related Work

We have presented two novel algorithms for E-matching. They are shown to outperformthe well-known Simplify E-matching algorithm.

The E-matching problem was first described, along with a solution, in the Simplifytechnical report [6]. We know several SMT checkers, like Zap [1], CVC3 [3], Verifun [8],Yices [7] and Ergo [4] include matching algorithms, though there seem to be no publicationsdescribing their algorithms. Specifically, Zap uses a different algorithm that also relies on

the fact of triggers being linear and uses a different kind of s-trees. Zap, however, doesnot do anything special about flat triggers.

In a recent paper [5] on Z3 (a rewrite of the Zap prover), a way of compiling patternsinto a code tree that is later executed against ground terms is defined. Such a tree isbeneficial if there are many triggers that share the top part of triggers. Alternatively, weexploit sharing in the bottom parts of triggers, and the flat matcher handles the case ofsimple triggers that share only the head symbol. The Z3 authors also propose an indexon the ground terms that is used to speed up matching in an incremental usage pattern.Such an index could perhaps be used also with our approach. Of course, the usefulnessof all these techniques largely depends on benchmarks and the particular search strategyemployed in an SMT solver.

Some of the problems in the field of term indexing [12] in saturation-based theoremprovers are also related. As mentioned earlier, our work uses ideas similar to substitutiontrees and discrimination trees. It seems to be the case, however, that the usage patternsin the saturation provers are different than those in SMT solvers. Matching SMT solversmust deal with several orders of magnitude fewer non-ground terms, a similar numberof ground terms, but the time constraints are often much tighter. This different set ofconstraints and goals consequently leads to the construction of different algorithms anddata structures.

We would like to thank Mikolas Janota for his comments regarding this paper.This work is being supported by the European Project Mobius within the frame of

IST 6th Framework, national grants from the Science Foundation Ireland and EnterpriseIreland and by the Irish Research Council for Science, Engineering and Technology. Thispaper reflects only the authors’ views and the Community is not liable for any use thatmay be made of the information contained therein. This work is partially supportedby Science Foundation Ireland under grant number 03/CE2/I303-1, “LERO: the IrishSoftware Engineering Research Centre.”

References

[1] Thomas Ball, Shuvendu K. Lahiri, and Madanlal Musuvathi. Zap: Automated the-orem proving for software analysis. In Geoff Sutcliffe and Andrei Voronkov, editors,LPAR, volume 3835 of Lecture Notes in Computer Science, pages 2–22. Springer,2005.

[2] Mike Barnett, K. Rustan M. Leino, and Wolfram Schulte. The Spec# programmingsystem: An overview. In Proceeding of CASSIS 2004, volume 3362 of Lecture Notesin Computer Science. Springer–Verlag, 2004.

[3] Clark Barrett and Sergey Berezin. CVC Lite: A new implementation of the cooperat-ing validity checker. In Rajeev Alur and Doron A. Peled, editors, Proceedings of the16th International Conference on Computer Aided Verification (CAV ’04), volume3114 of Lecture Notes in Computer Science, pages 515–518. Springer-Verlag, July2004. Boston, Massachusetts.

[4] Sylvain Conchon, Evelyne Contejean, and Johannes Kanig. Ergo: a theorem proverfor polymorphic first-order logic modulo theories. http://ergo.lri.fr/ergo.ps.

[5] Leonardo de Moura and Nikolaj Bjorner. Efficient E-matching for SMT solvers. InProceedings of the 21st International Conference on Automated Deduction (CADE-21). Springer, 2007, to appear.

[6] David Detlefs, Greg Nelson, and James B. Saxe. Simplify: a theorem prover forprogram checking. J. ACM, 52(3):365–473, 2005.

[7] Bruno Dutertre and Leonardo de Moura. A fast linear-arithmetic solver for DPLL(T).In Thomas Ball and Robert B. Jones, editors, CAV, volume 4144 of Lecture Notes inComputer Science, pages 81–94. Springer, 2006.

[8] Cormac Flanagan, Rajeev Joshi, and James B. Saxe. An explicating theorem proverfor quantified formulas. Technical Report 199, HP Labs, 2004.

[9] Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe,and Raymie Stata. Extended static checking for Java. In ACM SIGPLAN 2002 Con-ference on Programming Language Design and Implementation (PLDI’2002), pages234–245, 2002.

[10] Dexter Kozen. Complexity of finitely generated algebras. In Proceedings of the 9th

Symphosium on Theory of Computing, pages 164–177, 1977.

[11] R. Nieuwenhuis and A. Oliveras. Proof-producing congruence closure. In J. Giesl,editor, 16th International Conference on Term Rewriting and Applications, RTA’05,volume 3467 of Lecture Notes in Computer Science, pages 453–468. Springer, 2005.

[12] I. V. Ramakrishnan, R. C. Sekar, and Andrei Voronkov. Term indexing. In John AlanRobinson and Andrei Voronkov, editors, Handbook of Automated Reasoning, pages1853–1964. Elsevier and MIT Press, 2001.

[13] SMT-LIB: The satisfiability modulo theories library. http://www.smt-lib.org/.

Generating minimum transitivity constraints in P-time fordeciding Equality Logic

Ofer Strichman and Mirron Rozanov

Information Systems Engineering, IE, Technion, Israel.ofers@ie.technion.ac.il mirron@tx.technion.ac.il

Abstract. In a CAV’05 paper [MS05] we introduced a new decision procedure for Equality Logic: eachequality predicate is encoded with a Boolean variable, and then a set of transitivity constraints areadded to compensate for the loss of transitivity of equality. The constraints are derived by analyzingContradictory Cycles : cycles in the equality graph with exactly one disequality. Such a cycle is calledconstrained under a formula ϕ if ϕ is not satisfied with an assignment of true to all equality edges andfalse to the disequality edge. While we proved in [MS05] that it is sufficient to constrain all simplecontradictory cycles, we left open the question of how to find the necessary constraints in polynomialtime. Instead, we showed two possible compromises: an exponential algorithm, or, alternatively, apolynomial approximation that constrains all contradictory cycles rather than only the simple ones. Inthis article we show a polynomial algorithm that constrains only the simple contradictory cycles.

1 Introduction

Equality Logic with Uninterpreted Functions is a major decidable logic used in verification of infinite-state systems. Well-formed expressions in this logic are Boolean combinations of Equality predicates, wherethe equalities are defined between term-variables (variables with some infinite domain) and UninterpretedFunctions. The Uninterpreted Functions can be reduced to equalities via e.g. Ackermann’ reduction [Ack54],hence the underling theory that is left to solve is that of Equality Logic. We refer the reader to [MS05] fora description of some of the usage cases of this logic and a survey of previous work on decision proceduresfor it.

The following framework is used by [BV00,MS05] and the current work to reduce the problem of decidingwhether an Equality Logic formula ϕE is satisfiable, to the problem of deciding a propositional formula:

1. Let E denote the set of equality predicates appearing in ϕE. Derive a Boolean formula B by replacingeach equality predicate (xi = xj) ∈ E with a new Boolean variable ei,j . Encode disequality predicateswith negations, e.g., encode i 6= j with ¬ei,j .

2. Recover the lost transitivity of equality by conjoining B with explicit transitivity constraints jointlydenoted by T (T for Transitivity). T is a formula over B’s variables and, possibly, auxiliary variables.

The Boolean formula B∧T should be satisfiable if and only if ϕE is satisfiable. Further, it should be possibleto construct a satisfying assignment to ϕE from an assignment to the ei,j variables.

In an earlier work [MS05] this framework was instantiated as follows (the terms that follow will be formallydefined in Section 2). The transitivity constraints are derived by analyzing Contradictory Cycles: cycles inthe Equality Graph with exactly one disequality. Such a cycle is called constrained under a formula ϕ if ϕis not satisfied with an assignment of true to all equality edges and false to the disequality edge. Whileit was proven in [MS05] that it is sufficient to constrain all simple contradictory cycles, the question of howto find the necessary constraints in polynomial time was left open. Instead, two possible compromises weresuggested: an exponential algorithm[Mei05], or, alternatively, a polynomial approximation that constrainsall contradictory cycles rather than only the simple ones. In this article we show a polynomial algorithmthat constrains only the simple contradictory cycles.

While this article only replaces one (crucial) component in a previously-published decision procedure[MS05], it is written with the goal of being self-contained, assuming most readers are not familiar with the

previous work1. In the next section we list several basic definitions that are necessary for understanding thesetting; in Section 3 the main theorem on which this work (as well as [MS05]) is based on is re-presented; inSection 4 we describe the new decision procedure, and we conclude with a list of experiments in Section 5.A detailed comparison to [MS05,Mei05] appears in Section 4.2.

2 Basic Definitions

The Equality formula ϕE is assumed to be given in Negation Normal Form (NNF), which means thatnegations are only applied to atoms, or equality predicates in our case. Every formula can be transformed tothis form in linear time in the size of the formula. Given an NNF formula, denote by E= the set of (unnegated)equality predicates, and by E6= the set of disequalities (negated) equality predicates. The Reduced TransitivityConstraints (RTC) method of [MS05] relies on graph-theoretic concepts.

Definition 1 (Equality Graph). Given an Equality Logic formula ϕE, the Equality Graph correspondingto ϕE, denoted by GE(ϕE), is an undirected graph (V, E=, E6=) where each node v ∈ V corresponds to a variablein ϕE, and each edge in E= and E6= corresponds to an equality or disequality from the respective equalitypredicates sets E= and E6=. By convention E= edges are dashed and E 6= edges are solid.

Every edge in the Equality Graph corresponds to a variable ei,j ∈ B. It follows that when we refer to anassignment of an edge, it should be understood as an assignment to the variable that corresponds to thisedge. Also, we will simply write GE to denote an Equality Graph when not referring to a specific formula.

Note that Equality Graphs abstract the formulas from which they are built: they ignore the Booleanconnectives. Hence, an Equality Graph GE(ϕE) represent all formulas that have the same predicate sets asϕE.

Example 1. Figure 1 shows an Equality Graph GE(ϕE) for some Equality Formula ϕE for which E= : {(x1 =x5), (x5 = x6), (x6 = x2), (x3 = x7), (x7 = x8), (x8 = x4)} and E6= : {(x1 6= x2), (x2 6= x3), (x3 6= x4), (x3 6=x8)}. An assignment true to an edge (regardless whether it is an E= or E6= edge), means that the equalityis satisfied; Hence, to satisfy an E6= edge an assignment false is required.

��������

��������

����

���

���

����

x3x2 x4

x5

x1

x7 x8x6

Fig. 1. An Equality Graph GE(ϕE)

utTransitivity of equality can be enforced for every three variables in ϕE:

Definition 2 (Transitivity Constraint). For variables xi, xj , xk, the constraint

ei,j ∧ ej,k → ei,k

is called a transitivity constraint.

Such constraints can be added to T for every three variables in ϕ (in fact, this was one of the methodssuggested by Bryant and Velev in [BV00]), although typically it is possible to find efficiently a small subsetof them that is still sufficient for the reduction, as shown in [BV00,MS05] and in this article.1 Some of the definitions and examples from [MS05] are in fact repeated here without change.

Definition 3 (Equality Path). An Equality Path in an Equality Graph GE is a path made of E= (dashed)edges. Denote by x =∗ y the fact that x has an Equality Path to y in GE, where x, y ∈ V .

Definition 4 (Disequality Path). A Disequality Path in an Equality Graph GE is a path made of E=

(dashed) edges and a single E6= (solid) edge. Denote by x 6=∗ y the fact that x has a Disequality Path to y inGE, where x, y ∈ V .

Equality and Disequality paths are called simple if no vertex in the path is repeated. In Figure 1 it holds,for example, that x2 =∗ x5 due to the simple path x2, x6, x5; x2 6=∗ x5 due to the simple path x2, x1, x5; andx5 6=∗ x7 due to the simple path x5, x6, x2, x3, x7.

Intuitively, an Equality Path xi =∗ xj in GE implies that xi and yi are possibly required to be equal inorder to satisfy the formula from which GE was built. A Disequality Path xi 6=∗ xj implies the opposite: xi

and xj are possibly required to be different in order to satisfy this formula. More formally, if xi =∗ xj insome equality graph GE

1 , then there exists a satisfiable equality formula ϕE such that GE(ϕE) ≡ GE1 and in

every satisfying assignment to ϕE, xi = xj . The formal description for xi 6=∗ xj is similar.

Definition 5 (Contradictory Cycle). A Contradictory Cycle in an Equality Graph is a cycle with exactlyone disequality (solid) edge.

Several characteristics of contradictory cycles are:

1. For every pair of nodes x, y in a Contradictory Cycle, it holds that x =∗ y and x 6=∗ y.2. For every Contradictory Cycle C, either C is simple or a subset of its edges forms a Simple Contradictory

Cycle. It is sufficient, therefore, to refer only to simple contradictory cycles.3. It is impossible to satisfy simultaneously all the predicates that correspond to edges of a Contradictory

Cycle. Further, this is the only type of subgraph with this property.

The polarity information (whether the edge represents an equality or disequality) in the equality graph isuseful due to the following property of NNF formulas.

Theorem 1 (Monotonicity of NNF). Let φ be an NNF formula and α be an assignment such that α |= φ.Let the positive set S of α be the positive literals in φ assigned true and the negative literals in φ assignedfalse. Every assignment α′ with a positive set S′ such that S ⊆ S′ satisfies φ as well.

The same theorem was used, for example, in [PRSS02].Two graph-theoretical concepts that are used by our algorithm are:

Definition 6 (Chord). A chord in a cycle is an edge between two non-adjacent vertices.

Definition 7 (Chordal graphs). A graph is called chordal if no cycle of size four or more in the graph ischord-free.

Every graph can be made chordal in polynomial time by adding edges. The following procedure returns aset of chords sufficient for making an graph G(V,E) chordal:

1. While V 6= ∅:(a) Choose a vertex v ∈ V ;(b) Add to E an edge between every two neighbors of v (if it was not already in E).(c) Remove v and its incident edges.

2. Return the set of edges that were added in line 1b.

The order by which vertices are chosen in line 1a affects the number of added chords. A simple greedycriterion is to choose the vertex that adds the least number of edges (finding the smallest set of edges thatmake a graph chordal is NP-hard).

Chordal graphs were used by [BV00] in the context of their observation that transitivity should beenforced only on chord-free cycles (which, in a chordal graph, are only the triangles). In [MS05], as wellas in this paper, it is used in a different context, but with a similar purpose: it enables the algorithm toconstrain only triangles. More specifically, although a graph (V, E) can contain an exponential number ofcontradictory cycles in |V |, it can only contain a polynomial number of triangles. Yet, enforcing transitivityon triangles (whether they are contradictory or not) is sufficient for enforcing it on all contradictory cycles,as shown in [MS05] and in Section 4.

3 Main Theorem

The key idea that is formulated by Theorem 2 below and later exploited by our algorithm rtcS , can firstbe demonstrated by a simple example.

Example 2. For the Equality Graph in Figure 2(left), the single transitivity constraint T = (e0,2∧e1,2 → e0,1)is sufficient.

��������

����

x0 x1

x2

α α′

e0,1 true truee1,2 true truee0,2 false true

Fig. 2. An equality graph for Example 2, demonstrating how an assignment that contradicts transitivity, can bechanged to one that respects transitivity.

To justify this claim, it is sufficient to show that for every assignment α that satisfies B ∧ T , there exists anassignment α′ that satisfies B and transitivity of equality. Since this, in turn, implies that ϕE is satisfiableas well, then it is implied that ϕE is equisatisfiable to B ∧ T .

It is possible to construct such an assignment α′ because of the monotonicity of NNF (recall that thepolarity of the edges in the Equality Graph are according to their polarity in the NNF representation of ϕE).There are only two satisfying assignments to T that do not satisfy transitivity. One of these assignments isshown in the α column in the table to the right of the drawing. The second column shows a correspondingassignment α′, which clearly satisfies transitivity. It is left to prove that every formula B that correspondsto the above graph, is still satisfied by α′ if it was satisfied by α. For example, for B = (¬e0,1 ∨ e1,2 ∨ e0,2),both α |= B ∧ T and α′ |= B and respects transitivity. Intuitively, this is guaranteed to be true because α′

is derived from α by flipping an assignment of a positive (un-negated) predicate (e0,2) from false to true.Similarly, we can flip an assignment to a negated predicate (e0,1 in this case) from true to false.

A formalization of this argument requires a reference to the monotonicity of NNF (Theorem 1): Let Sand S′ denote the positive sets of α and α′ respectively. Then in this case S = {e1,2} and S′ = {e1,2, e0,2}.Thus S ⊂ S′ and hence, according to Theorem 1, α |= B → α′ |= B. utSeveral definitions are needed in order to generalize this example into a theorem.

Definition 8 (A constrained Contradictory Cycle). Let C = (es, e1, . . . , en) be a Contradictory Cyclewhere es is the solid edge. Let ψ be a formula over the Boolean variables in B that encodes the edges of C.C is said to be constrained in ψ if the assignment (es, e1, . . . , en) ← (F, T, . . . , T ) contradicts ψ.

Definition 9 (A Reduced Transitivity Constraints formula T ). A Reduced Transitivity Constraints(RTC) formula T for an equality graph GE is a conjunction of transitivity constraints that constrains all thesimple contradictory cycles in GE2.

Consider, for example, an Equality Graph in which all edges are solid (disequalities): in such a graph thereare no contradictory cycles and hence no constraints are required: T = true.

Theorem 2 (Main). Let ϕE be an equality formula, and let T be an RTC formula for GE(ϕE). Then ϕE issatisfiable if and only if B ∧ T is satisfiable.

2 The definition of this term in [MS05] includes an additional requirement, that it is not more restrictive than theconstraint generated by Bryant and Velev’s Sparse method technique. This restriction is not necessary in ourcontext.

The proof of this theorem appears in [MS05] and [Mei05]. Since T is a conjunction of transitivity constraints,the proof of the ‘only if’ direction (⇒) is trivial. To prove the other direction it is shown in [Mei05] thatthere exists an algorithm for reconstructing an assignment that satisfies all transitivity constraints from agiven assignment α that only satisfies T .

Given Theorem 2, it is left to show an algorithm that generates a formula that constrains all simplecontradictory cycles. In [MS05] we presented the rtc algorithm for this purpose, parts of which are re-usedhere in the description of the new algorithm rtcS . The latter only constrains simple contradictory cycles,as it should according to Theorem 2, hence the superscript S. It is also simpler to describe and implementthan rtc.

4 The rtcS algorithm

The rtcS algorithm processes Biconnected Components (BCC) [CLR00] in the given Equality Graph.

Definition 10 (Maximal Biconnected Component). A Biconnected Component of an undirected graphis a maximal set of edges such that any two edges in the set lie on a common simple cycle.

It is sufficient to focus on BCCs because only cycles need to be constrained (more specifically, contradictorycycles). Each considered BCC contains a solid edge es and all the contradictory cycles that it is part of. Inline 4, rtcS makes the BCC chordal, by adding edges. After the graph is chordal rtcS calls Generate-constraintsS , which strengthens T with all the transitivity constraints that are necessary for constrainingall the contradictory cycles in this BCC with respect to es.

Algorithm 1 rtcS returns a formula T , which conjoins all the transitivity constraints that are sufficientand necessary in order to constrain all simple contradictory cycles in a given equality graph.rtcS (Equality Graph GE(V, E=, E 6=))

1: T = true2: for all es ∈ E 6= do3: Find B(es), the maximal BCC in GE that is made of es and E= edges;4: Make B(es) chordal; . This step adds new dashed edges.5: Generate-constraintsS (B(es)); . see Algorithm 2.6: end for7: return T ;

A possible optimization to rtcS is to reuse chords: denote by Ep the union of chords that were addedin previous iterations of the algorithm (when other BCCs were considered), and GE

6= edges. The greedycriterion by which vertices are chosen (see the algorithm for making graphs chordal after Definition 7)should be changed as follows: rather than counting the number of added edges, count only those edges thatare added and are also not in Ep (since Ep edges are already represented in the resulting formula). Thisoptimization reduces the number of added chords and, consequently, the number of variables and constraints.

4.1 Deriving transitivity constraints in P time

Let B be a chordal biconnected component in which there is a single solid edge es adjacent to verticesxs,x′s. The algorithm in Fig. 2 finds the necessary and sufficient constraints for constraining all the simplecontradictory cycles with respect to es. We will use a convention by which removing a vertex implies removingits incident edges. Also, we will use set notation for graph elements when the meaning is clear from thecontext, for example:

– (xi, xj) ∈ B means that the graph B has an edge (xi, xj),

Algorithm 2 Generate-constraintsS adds transitivity constraints to a (global) formula T , that aresufficient and necessary for constraining all the simple contradictory cycles in a given bi-connected componentwith a single solid edge es = (xs, x

′s).

1: procedure Generate-constraintsS(Chordal BCC B(V, E))2: for each vertex v ∈ {V \ {xs, x

′s}} do

3: Let B′ = B \ v.4: for every (xi, xj) that

4.1 is on a simple cycle with es in B′ (or es ≡ (xi, xj)), and4.2 {(v, xi), (v, xj)} ∈ B

do5: T = T ∧ (ev,xi ∧ ev,xj → exi,xj )6: end for7: end for8: end procedure

– B′ ⊆ B means that B′ is a subgraph of B,– B \ v is the graph B after the removal of the vertex v and its incident edges from B.

Two comments about Generate-constraintsS :

– An optimization for line 5 is to add the constraint only if it was not added before. Our implementationin fact maintains the constraints as a set, and generates T only in the end.

– The condition in line 4.1 can be checked in polynomial time, by, for example, building a maximal BCCB′′ around es in B′. Every edge in B′′ is on a simple cycle with es in B′.

Example 3. Consider the Equality Graph in Figure 3. Assume that the vertices are examined in line 2 in anorder corresponding to the variable index. For this graph, x1, x6 are those vertices called xs, x

′s in Generate-

constraintsS . The first vertex examined in line 2 is therefore x2. The edge (x1, x5) is the only one fulfillingthe two conditions: (x2, x1), (x2, x5) are edges in B, and it is on a simple cycle with es in B′. Indeed, (x1, x5)is an edge in B′′ = (x1, x6, x5), the maximal BCC that contains es after the removal of x2 and its incidentedges. Therefore the constraint e1,2 ∧ e2,5 → e1,5 is the only one added in this iteration. The table belowshows the constraints added in each iteration.

��������

����

��������

���

���

��������

x1

x5x6 x4

x3x2Examining... Added constraintsx2 e1,2 ∧ e2,5 → e1,5

x3 e2,3 ∧ e3,4 → e2,4

x4 e2,4 ∧ e4,5 → e2,5

x5 e1,5 ∧ e5,6 → e1,6

Fig. 3. An Equality Graph for Example 3.

Theorem 3. For a chordal BCC B with a single solid edge es, the constraints added by Generate-constraintsS(B) are sufficient and necessary for constraining all simple contradictory cycles in B.

Proof. (Sufficiency) We first prove the following:

Lemma 1. If for every triangle (xi, v, xj) in B such that (xi, v), (v, xj) 6= es and (xi, v), (v, xj) is part ofa simple contradictory cycle, the transitivity constraint ei,v ∧ ev,j → ei,j is in T , then T constrain all thesimple contradictory cycles in B.

Proof. Let C be a simple contradictory cycle in B. By induction on the size of C:Base: Let C be a triangle (xi, v, xj), where (xi, xj) is the solid edge es. Since (xi, v), (v, xj) are part of a

contradictory cycle, the constraint ei,v ∧ ev,j → ei,j is in T . Thus, C is constrained in C.Step: Assume the Proposition holds for C of size n (n ≥ 3), and consider C with size n + 1. Since

C is chordal, it can be decomposed into a triangle, say xi, v, xj , and another contradictory cycle C ′ =C \ {(xi, v), (v, xj)} ∪ (xi, xj) (this observation is proven as Proposition 2 in [Mei05]). By the inductionhypothesis, C ′ is constrained by T (since |C ′| = n). The constraint ei,v ∧ ev,j → ei,j is in T because(xi, v), (v, xj) is part of C, which, recall, is a simple contradictory cycle. Now, assume that C is not constrainedby T , i.e. an assignment α that assigns true to all dashed edges and false to es still satisfies T . In thisassignment ei,v, ev,j are assigned true, but then ei,j is assigned true as well due to the constraint mentionedabove. Hence, in C ′ all dashed edges are assigned true whereas es is assigned false, which contradicts theinduction hypothesis. utIt is left to show that the constraints added by rtcS satisfy the premise of Lemma 1, i.e., that it adds aconstraint ei,v ∧ ev,j → ei,j for every triangle (xi, v, xj) in B such that (xi, v), (v, xj) 6= es and (xi, v), (v, xj)are part of a simple contradictory cycle.

Lemma 2. Let (xi, v, xj) be a dashed triangle in B such that there exists a simple contradictory cycle through(xi, v), (v, xj). Then there exists a simple contradictory cycle in B through (xi, xj) that does not go throughv.

Proof. Let C be a simple contradictory cycle that goes through (xi, v), (v, xj), and let C ′ = C\{(xi, v), (v, xj)}∪(xi, xj). Observe that in a simple cycle C, the degree of each vertex (counting only C edges) is 2. It is easyto see that the degree of each vertex in C ′ is the same as in C, other than v for which the degree is reducedfrom 2 to 0 (which means that is not part of C ′). Hence C ′ is simple and does not go through v. ut

The contra-positive conclusion from Lemma 2 is that if (xi, xj) is not part of a simple contradictorycycle with es in B′, then (xi, v), (v, xj) is also not in a simple contradictory cycle with es. But since thisis the only case in which Generate-constraintsS does not add a constraint, we conclude that it addsthe constraints as required by the premise of Lemma 1, i.e. it adds a constraint ei,v ∧ ev,j → ei,j for everytriangle (xi, v, xj) in B such that (xi, v), (v, xj) 6= es and (xi, v), (v, xj) are part of a simple contradictorycycle. Hence, by Lemma 1, T constrains all simple contradictory cycles in B.

(Necessity) Falsely assume that there is a redundant constraint, e.g. there exists a constraint exi,v ∧ev,xj → exi,xj although (xi, v), (v, xj) is not part of a simple contradictory cycle or that (xi, xj) 6∈ B. If thisconstraint is added (in line 5), it means that (xi, xj) is part of a simple contradictory cycle C ′ with es notthrough v. But this means that C = C ′ \ (xi, xj)∪{(xi, v), (v, xj)} must be simple as well (it adds a vertex vwith degree 2, and does not change the degree of the other vertices), which contradicts the assumption. ut

4.2 The differences between rtc and rtcS

As was mentioned earlier, the original Generate-Constraints procedure that appeared in [MS05] addedenough transitivity constraints to constrain all contradictory cycles, and not just the simple ones as requiredby Theorem 2. The graph in Figure 4 demonstrates the difference between the results of the two algorithms.Consider the constraints that are added when removing x7 in line 2 of rtcS : the edge (x1, x8) is es itself andhence the constraint e1,7 ∧ e7,8 → e1,8 is added. No other edge fulfills the condition in line 4.1. Generate-Constraints, on the other hand, adds, for example, also the constraint e6,7∧e5,7 → e5,6, because of the non-simple cycle (x1, x2, x3, x5, x7, x6, x7, x8, x1). All together Algorithm Generate-constraintsS generates16 constraints for this graph, whereas Generate-Constraints generates 26 constraints.

Algorithm Generate-constraints of [MS05] traverses the BCC, each time expanding the contradictorycycle while adding transitivity constraints. It starts from each triangle that one of its edges is es. From thereit gradually increases the cycle it examines (at each step it replaces an edge with two edges that lean onthat edge) while adding constraints. To avoid traversing an exponential number of paths, it uses a cache ofconstraints, and stops traversing the graph in a direction that results in a constraint that already appears in

��������

����

��������

���

���

������

������

���

���

��������

x1

x8

x3x2 x4

x5x6x7

Fig. 4. An Equality Graph that demonstrates the difference between rtc and rtcS .

the cache. This, in turn, requires that all cycles are traversed, rather than only the simple ones. In [Mei05]we also showed an algorithm that does not use the cache, and hence generates the requested formula (i.e.not overly constrained), but the algorithm there is worst-case exponential.

5 Experiments and conclusions

We re-ran the experiments with random equality graphs, which were first presented in [MS05]. Table 1presents the comparison. Each line in the table corresponds to the same 10 randomly generated topologies,with 1% of ‘double edges’ (edges that are both solid and dashed), the % of dashed edges as specified in thefirst column, and the rest are solid. The number of vertices is 200, and the number of edges is 800.

Overall, there is a decrease of 17% in the number of transitivity constraints, and 32% decrease in therun time of the algorithm (not including SAT time). For comparison, on the same graphs the sparse method[BV00], which generates three constraints for each triangle in the graph regardless of their polarity, generates390165 constraints on average (regardless of the ratio between solid and dashed edges). For most of thesegraphs the formula could not be generated by the exponential method of [Mei05].

% dashed Run time # Constraints Constraints

rtc rtcS rtc rtcS ratio

10 3.37 0.4608 208.7 153.5 0.73

30 195.81 120.15 170308.7 117832.9 0.69

50 339.29 300.23 299937.8 240075.7 0.8

70 419.94 236.83 355631.3 328359.1 0.92

Average 239.6 164.4 206521.6 171605.3 0.83

Table 1. Experimental results of rtcS vs. rtc on randomly generated graphs. Each line in the table corresponds toan average on (the same) 10 graphs, but with a varying percentage of dashed vs. solid edges.

As expected, rtcS is better in practice than rtc, both in terms of the size of the generated formula, andthe overall running time. The difference in the run time of SAT between the formulas generated by rtc andrtcS was quite negligible in these cases.

Is rtcS competitive with lazy-style solvers? Although we did not check it systematically, we expect thaton instances with many uninterpreted functions (as most of the benchmarks in the SMT suite are), the answeris no. As was noted in [MS05], lazy solvers are likely to perform better in such cases, since the reduction toequality logic using Bryant’s reduction creates graphs in which most of the edges are both dashed and solid, acase in which rtcS has no advantage in comparison to the sparse method of Bryant and Velev [BV00] (whichby itself, as far as we know, has never been compared experimentally to some of the modern implementationsbased on congruence closure, such as [NO05]). We also noticed that large graphs (with a 150 nodes or more)with a high degree of connectivity, as the ones created when reducing uninterpreted functions, frequently

lead to an excessive run time in making them chordal, despite the polynomial upper-bound on the runningtime of this operation.

Are there cases in which rtcS has an advantage over lazy-style solvers? To test this question we comparedrtcS to Yices (version 1.09), where the propositional formulas generated by rtcS were solved with Yicesas well. The comparison was done on crafted examples without uninterpreted functions. It turns out thatgenerating random CNF-s is rather meaningless in this context, because it is very unlikely that in suchformulas every assignment that satisfies the skeleton will correspond to a contradictory cycle. Indeed, in allthe experiments we made with random CNFs, the formulas were satisfiable and very easy to solve by bothmethods. We therefore crafted a set of formulas whose respective equality graph follow the pattern thatappears in Figure 5. The number of ‘diamonds’ is denoted by n, hence the right most node is x3n+1.

x1

x2

x3

x5

x6

x7x4x3n+1

Fig. 5. An equality formula corresponding to the crafted examples.

The checked formula isx1 6= x3n+1∧((x1 = x2 ∧ x2 = x4) ∨ (x1 = x3 ∧ x3 = x4))∧

...((x3n−2 = x3n−1 ∧ x3n−1 = x3n+1) ∨ (x3n−2 = x3n ∧ x3n = x3n+1)) ,

(1)

which is unsatisfiable for all n > 0. There are 4n + 1 edges and hence Boolean variables in the formula’sskeleton. Satisfying either the top or bottom path of each diamond (or both), together with the disequalityx1 6= x3n+1, satisfies the Boolean skeleton of the formula. Yet each such satisfying assignment correspondsto a contradictory cycle, which makes the formula unsatisfiable.

This type of formula is expected to be hard for lazy-style solvers, because there is an exponential numberof solutions that satisfy the skeleton, none of which is a real solution (it seems that theory propagationand learning cannot be effective in this case either). The results, in seconds, appear in the table below. TOdenotes a timeout of 1 hour. It is clear that in such formulas indeed rtcS has an advantage.

n Yices rtcS

20 95.7 < 125 3210.2 < 130 TO < 140 TO < 1

To summarize, as indicated in the introduction, rtcS dominates the two previously published alternatives:rtcS is polynomial in contrast to the exponential algorithm described in [Mei05], and it generates formulasthat are guaranteed to be smaller and less constrained than the formulas generated by the polynomialapproximation offered by rtc (or, if it happens to be that there are no non-simple cycles, it generates anequivalent formula). It is also simpler to implement and (subjectively) more elegant than rtc.

References

[Ack54] W. Ackermann. Solvable cases of the Decision Problem. Studies in Logic and the Foundations of Mathe-matics. North-Holland, Amsterdam, 1954.

[BV00] R.E. Bryant and M. Velev. Boolean satisfiability with transitivity constraints. In Proc. 12th Intl. Conferenceon Computer Aided Verification (CAV’00), volume 1855 of Lect. Notes in Comp. Sci., 2000.

[CLR00] T. Cormen, C. Leiserson, and R. Rivest. Introduction to Algorithms, chapter 26, page 563. MIT press,2000.

[Mei05] Orly Meir. A decision proceudre for equality logic. Master’s thesis, Technion, 2005.[MS05] Orly Meir and Ofer Strichman. Yet another decision procedure for equality logic. In K. Etessami and

S. Rajamani, editors, Proc. 17th Intl. Conference on Computer Aided Verification (CAV’05), volume 3576of Lect. Notes in Comp. Sci., pages 307–320, Edinburgh, July 2005. Springer-Verlag.

[NO05] Robert Nieuwenhuis and Albert Oliveras. Proof-producing congruence closure. In RTA, pages 453–468,2005.

[PRSS02] A. Pnueli, Y. Rodeh, O. Strichman, and M. Siegel. The small model property: How small can it be?Information and computation, 178(1):279–293, October 2002.

Model-based Theory Combination

Leonardo de Moura and Nikolaj Bjørner

Microsoft Research, One Microsoft Way, Redmond, WA, 98074, USA{leonardo, nbjorner}@microsoft.com

Abstract. Traditional methods for combining theory solvers rely oncapabilities of the solvers to produce all implied equalities or a pre-processing step that introduces additional literals into the search space.This paper introduces a combination method that incrementally recon-ciles models maintained by each theory. We evaluate the practicality andefficiency of this approach.

1 Introduction

A core problem of Satisfiability Modulo Theories is combining separate theorysolvers for theories T 1 and T 2 to a combined solver for the union T 1 ∪ T 2. TheNelson-Oppen combination method identifies sufficient conditions for combiningtwo theories over disjoint signatures: only (disjunctions of) equalities over sharedvariables that are implied by one of the theories need to be communicated. Mostexisting implementations and optimizations of this method seek to efficientlyimplement the trigger:

if T i ∪ Γi |= u ' v then propagate u ' v,

to exhaustively enumerating all implied (disjunctions of) equalities for a the-ory T i and constraints Γi that are asserted in its context. Another method [1]to obtain completeness is by enumerating equalities corresponding to the cross-product of all shared variable pairs and use the SAT solver for non-deterministicallychoosing a partition based on the cross-product. Common to these methods isthat they are pessimistic about which equalities are propagated. A more opti-mistic approach is by inspecting a candidate model Mi for one of the theories T i

and propagate all equalities implied by the candidate model, hedging that othertheories will agree. If not, use backtracking to fix the model. Thus, Model-basedTheory Combination is based on a trigger of the form:

if Mi |= T i ∪ Γi ∪ {u ' v} then propagate u ' v .

The rationale for Model-based Theory Combination is practical: It tendsto be much cheaper to enumerate equalities that are implied in a particularmodel than of all models; the number of inter-theory equalities that really matteris small in practice (intra-theory equality propagation on the other hand doesmatter); backtracking is relatively cheap with modern DPLL solvers; and finally,one may limit the number of equalities implied by a model by model mutation.

2 Background

A signature Σ is a set of function and predicate symbols. Each symbol is asso-ciated with a nonnegative integer, called the arity. If arity(g) = 0, then g is aconstant symbol. We assume that the binary equality predicate ' to be alwayspresent in any signature Σ. We use the standard notion of Σ-structure M, thatis, a support set endowed with an arity-matching interpretation of the functionand predicate symbols from Σ. We use fM (pM) to denote the interpretation ofthe function symbol f (predicate symbol p) in the structure M. The truth of aΣ-formula in M is defined in the standard ways. A formula φ is satisfiable in Miff its existential closure is true in M. In this case, we say M is a model for φ.A sentence is a first-order formula with no free variables. A (first-order) theory

T over a signature Σ is a set of (deductively closed) sentences over Σ. We saytwo theories T 1 and T 2 have disjoint signatures when Σ1 ∩Σ2 = {'}. A theoryT is stably infinite if every satisfiable quantifier free formula is satisfiable in aninfinite model. A theory T is convex [2] iff for all finite sets Γ of literals andfor all non-empty disjunctions

∨

i∈I ui ' vi of variables, Γ |=T

∨

i∈I ui ' vi iffΓ |=T ui ' vi for some i ∈ I. Intuitively, a theory is convex if for every satisfi-able set of literals there is a model where variables not implied to be equal havea distinct interpretation. For example, linear integer arithmetic is not convex,because the set of literals {0 ≤ x1 ≤ 1, 0 ≤ x2 ≤ 1, 0 ≤ x3 ≤ 1} is satisfiable, noequality xi ' xj for i 6= j is implied, but there is no model where x1, x2 and x3

are all distinct.

2.1 Nelson-Oppen combination method

Nelson-Oppen (NO) combination method [3] provides a rather simple solutionfor the theory combination problem for theories that are stably infinite and havedisjoint theories. More formally, let T 1 and T 2 be consistent, stably infinite the-ories over disjoint (countable) signatures. Assuming satisfiability of conjunctionof literals can be decided in O(T 1(n)) and O(T 2(n)) time respectively. Then,

1. The combined theory T is consistent and stably infinite.2. Satisfiability of quantifier free conjunction of literals in T can be decided in

O(2n2

× (T 1(n) + T 2(n))).3. If T 1 and T 2 are convex, then so is T and satisfiability in T is in O(n4 ×

(T 1(n) + T 2(n))).

Let Γ be a set of literals over Σ1 ∪ Σ2. Then, the non-deterministic NO com-bination method can be described in the following way. First, a satisfiabil-ity preserving transformation called purification is used to transform Γ intoΓ1 ∧ Γ2, such that, the symbols from Γi are in Σ

ai , where Σ

ai = Σi ∪ a, and a

(= V(Γ1)∩V(Γ2)) denotes the set of shared variables between Γ1 and Γ2. Then,a partition of a into disjoint subsets is guessed and is expressed as a conjunctionof literals φ. For example, the partition {x1}, {x2, x3}, {x4} is represented asx1 6' x2, x1 6' x4, x2 6' x4, x2 ' x3. Then, the individual procedures are used to

decide whether Γi∧φ is satisfiable. The combined procedure returns unsatisfiableif one of the procedures returns unsatisfiable.

For convex theories, instead of guessing, one can deduce the equalities to beshared. The key idea is to propagate x ' y to Γ2 whenever T 1∪Γ1 |= x ' y, andvice-versa. This process is repeated until no further equations can be propagated.Then, the individual procedures are used to decide whether Γi is satisfiable.Sharing equalities in this case is sufficient, because a theory T 1 can assume thatxM2 6= yM2 whenever x ' y is not implied by T 2 and vice versa. So, for convextheories, there is an efficient way to construct a partition of the set of sharedvariables.

3 Related Work

3.1 Convex theories only

For convex theories it is sufficient to propagate all implied equalities betweenshared variables. For instance, theories that admit canonizers solve equality prop-agation by rewriting. In general, a theory T i is canonizing (as coined in [4]) if itadmits a function ↓ , such that:

T i ∪ Γi |= s ' t iff s ↓Γi= t ↓Γi

.

Linear rational arithmetic is convex, procedures based on the Fourier-Motzkinalgorithm produce all implied equalities in a straight-forward way, but the pro-cedure may require exponential space. For procedures based on the Simplexalgorithm, all implied equalities can be deduced using the approaches describedin [5, 6].

The main disadvantage of these approaches is poor performance (either of thesolver or of the equality propagation) and the inability to deal with non-convextheories.

3.2 DTC: Delayed Theory Combination

Several SMT solvers [7] use the underlying SAT solver to guess a partition ofV(Γ1) ∩ V(Γ2), the idea is to create a literal u ' v for every pair of sharedvariables u and v. One may be concerned that guessing a partition would beexponentially more expensive than deriving it when the theories are convex.However, as shown in [8], back-jumping and lemma learning allow simulating

the standard Nelson-Oppen combination method: equalities that are implied bya theory, once learned are not flipped.

The obvious disadvantage of this approach is that the number of additionalequality literals is quadratic in the number of shared variables. There is anadditional assumption that may be tool specific to MathSat, but are pervasivein the results from [8]: all literals used by the SAT solver must be present in theinput to the SAT solver. At the current time of writing CVC3 [9], Verifun [10],Yices [11], and our tool Z3 all support dynamically added literals.

Our approach, presented later, appeals to an SMT solver that allows intro-ducing literals on the fly. If this is not possible, the approach boils down to abranching heuristic on top of DTC.

3.3 Ackermannization

When combining two theories T 1 and T 2, where T 1 is the theory of uninterpretedfunctions, one can eliminate T 1 by creating all ground instances of Leibniz’srule [12]:

∧

ni ' mi → f(n) ' f(m) (1)

Thus, we can eliminate a function symbol f from a set of formulas F by applyingthe procedure ackermannize:

ackermannize(f, F ) :foreach f(n) ∈ F where n do not contain f

create a fresh constant af(n)

replace f(n) by af(n) in F

foreach af(n), af(m)

add the clause∧

ni ' mi → af(n) ' af(m) to F

A partial Ackermann’s reduction heuristic is proposed and investigated in [13].Functions are only eliminated when the number of distinct occurrences is smallerthan the set of shared variables in the function arguments.

Ackermannization has the same disadvantage as DTC in that the number ofadditional literals is quadratic in the size of the input. It is furthermore prob-lematic to use Ackermannization in the context of several theories and whencombining SMT solvers with quantifier instantiation.

Dynamic Ackermannization Congruence closure algorithms for deduction inequational theories are ubiquitous. Efficient and incremental congruence closurebased procedures are described in [6, 14]. However, these algorithms miss thefollowing propagation rule:

f(n) 6' f(m) =⇒∨

ni 6' mi . (2)

This propagation rule (which is a contrapositive of (1)) has a dramatic perfor-mance benefit in some benchmarks, and Ackermann’s reduction gives this rulefor free. For example, the following simple formula takes O(2N ) time to be solvedusing the algorithms presented in [6, 14]. In contrast the formula can be solvedin polynomial time if either O(N2) axioms are added up front by ackermannize

or the above propagation rule is used resulting in “only” O(N) space and timeoverhead.

N∧

i=1

(pi ∨ xi ' v0) ∧ (¬pi ∨ xi ' v1) ∧ (pi ∨ yi ' v0) ∧ (¬pi ∨ yi ' v1),

f(xN , . . . , f(x2, x1) . . .) 6' f(yN , . . . , f(y2, y1) . . .) (3)

This performance problem reflects a limitation in the current congruence closurealgorithms used in SMT solvers, and it is not related with the theory combinationproblem. In fact, the formula above uses only one theory. In [11], an approach,called Dynamic Ackermannization, is proposed to cope with this problem. There,clauses corresponding to Ackermann’s reduction are added when a congruencerule participates in a conflict.

4 Model-based Theory Combination

Our approach minimizes the number of produced shared equalities. It is basedon the fact that, in practice, the number of local inconsistencies is much biggerthan the number of global (cross theory) inconsistencies. It works for convex andnon-convex theories alike.

1. Each theory T i maintains a model Mi for Γi, or at times only for a subsetof Γi.

2. From time to time, if uMi = vMi , then the theory creates the case-splitu ' v, the positive case is tried first.

3. At the discresion of the theory solver, change a model Mi to M′

i to satisfynewly assigned literals, or to imply fewer equalities.

It is fairly straight-forward to integrate this approach in a DPLL(T ) frame-work, that we rename DPLL(T M), as the search is now model-guided. Borrowingnotation from [15, 16], the relevant new rules are presented in Fig. 1. The full setof rules are repeated from [16] in Fig. 2. The transition rules modify triplets ofthe form M, Γ ||F , where M is a set of models for theories T 1, . . . , T n, Γ is aset of asserted literals, and F is a set of clauses. The rule M-Propagate creates afresh equality literal (u ' v)d when a model associated with one of the theoriesimply it, but the equality is not present in the context Γ . The equality literal ispushed on Γ , thus propagating the equality to all theories sharing variables u

and v. The tag d on the literal indicates that the literal may be negated duringbacktracking. The M-Mutate rule allows changing models during backtrackingsearch. For instance, after applying Decide, a newly assigned literal `d may notbe satisfied in the existing models. We do not need to specify when M-Mutate

is applied. In particular, theory solvers are not required to maintain models fortheir contexts at all times during a search. Models are only required when othercase splits have been attempted. For example, when using linear programmingfor an integer linear programming problem, a simplex tableau may choose todelay introducing Gomory cuts to obtain an integer interpretation until otherconstraints have been propagated.

We use the following optimizations to minimize even further the number ofnecessary case splits. Let RM be an equivalence relation on V such that RM(u, v)iff uM = vM. Let classes(R) be the set of equivalence classes induced by R.

1. Opportunistic equality propagation: Equalities that can be inferred with-out additional expense to the theory solver are always propagated eagerly.Section 5 gives an example of opportunistic equality propagation.

M-Propagate

M, Γ ||F =⇒ M, Γ (u ' v)d ||F if

u, v ∈ V, (u ' v) 6∈ LuMi = vMi

add (u ' v) to L

M-Mutate

M, Γ ||F =⇒ M′, Γ ||F if

{

M′ is some variant of M

Fig. 1. Model-based propagation

2. Postponing model-based equality propagation: we delay applying the ruleM-Propagate until case splits on already existing literals have been per-formed.

3. Model mutators, the idea is to use a function δ(Mk) that returns a morediverse model. More formally, |classes(RMk

)| ≤ |classes(Rδ(Mk))|

5 Simplex: An example model-producing theory solver

Following [17], a theory solver for linear arithmetic, and integer linear arithmetic,can be based on a Simplex Tableau of the form:

xi '∑

xj∈N

aijxj xi ∈ B,

where B and N denote the set of basic and nonbasic variables, respectively. Inaddition to this tableau, the solver state stores upper and lower bounds li andui for every variable xi and a mapping β that assigns a rational value β(xi) toevery variable xi. The bounds on nonbasic variables are always satisfied by β,that is, the following invariant is maintained

∀xj ∈ N , lj ≤ β(xj) ≤ uj .

Bounds constraints for basic variables are not necessarily satisfied by β, so forinstance, it may be the case that li > β(xi) for some basic variable xi, but piv-oting steps can be used to fix bounds violations, or detect an infeasible tableau.We hope it does not come as a total surprise that the current model for thesimplex solver is given by β. Enumerating the equalities implied by β is simple:enumerate all the values of β(xi), inserting each value into a hash table. Theexpected time of enumerating all equalities is then O(|B ∪ N |).

5.1 Opportunistic equality propagation

A variable xi is fixed iff li = ui, a linear polynomial∑

xj∈Vaijxj is fixed iff for

every xj ∈ V , xj is fixed or aij = 0. Given a linear polynomial P =∑

xj∈Vaijxj ,

we use β(P ) to denote∑

xj∈Vaijβ(xj).

FixedEq

li ≤ xi ≤ ui, lj ≤ xj ≤ uj =⇒ xi ' xj if li = ui = lj = uj

EqRowxi ' xj + P =⇒ xi ' xj if P is fixed, and β(P ) = 0

EqOffsetRowsxi ' xk + P1

xj ' xk + P2=⇒ xi ' xj if

{

P1 and P2 are fixed, andβ(P1) = β(P2)

EqRowsxi ' P + P1

xj ' P + P2=⇒ xi ' xj if

{

P1 and P2 are fixed, andβ(P1) = β(P2)

The first rule can be implemented using a mapping from values to fixedvariables, the second rule can be easily checked when a row is updated during apivoting step. The rule EqOffsetRows is a simpler and less expensive version ofEqRows. It can be implemented using a mapping (xk, v) 7→ xi, where xk and xi

are variables, and v is a value. In our implementation, the first three rules areeagerly applied, and the last one is only applied before M-Propagate. We alsoaggressively remove fixed variables from the basis.

These rules can miss some implied equalities. For instance, from the con-straints (4), the rules detect the implied equality z ' w, but miss the equalityx ' y, because z is not a fixed variable. Fortunately, the bound propagationtechnique described in [17] can be used imply the bound 0 ≤ w, making w afixed variable, and enabling the application of the rule EqRow.

x ' y + w + s, z ' w + s, 0 ≤ z, w ≤ 0, 0 ≤ s ≤ 0 (4)

5.2 Mutation using freedom intervals

The freedom of a non-basic variable xj is defined as the interval [Lj , Uj], where:

Lj = max

({

β(xj) +li − β(xi)

aij

| aij > 0

}

∪

{

β(xj) +ui − β(xi)

aij

| aij < 0

}

∪ {lj}

)

Uj = min

({

β(xj) +ui − β(xi)

aij

| aij > 0

}

∪

{

β(xj) +li − β(xi)

aij

| aij < 0

}

∪ {uj}

)

Intuitively, if β satisfies all rows and bound constraints, then β will also satisfythem after executing update(xj , v) for any value v in the interval [Lj , Uj], wherethe update procedure is defined as:

update(xj , v)foreach xi ∈ B, β(xi) := β(xi) + aij(v − β(xj))β(xj) := v

Freedom intervals can be used to produce a more diverse β without performingany pivoting operation. A simple greedy heuristic seems to be quite effective: foreach non-basic variable xj , execute update(xj , v), if there is a value v ∈ [Lj, Uj ]such that |classes(Rβ)| < |classes(Rβ′)|, where β′ denotes β after the update

operation.

6 Experimental Evaluation

The experiments were conducted using a 32bit Pentium 4 processor running at3.6Ghz, 2Gb of memory, and 2Mb of cache. The timeout was set to 10 minutes.We compared our approach against other SMT solvers and against differentstrategies within our solver Z3. We used the same benchmarks used in [13].The benchmarks were translated to the SMT-LIB format, and are available fordownload in our website1. We also included, for N ∈ [1, 99] the examples from(3) and the following simple family of satisfiable formulas in the comparison forN ∈ [2, 99]:

ϕ =N∧

i=1

f(xi) ≥ 0 ∧ xi ≥ 0 ∧ xi 6' xi+1 (5)

All benchmarks but the Ackermann suite use the theories of uninterpreted func-tions and linear arithmetic. Tables 1 and 2 summarize the results obtained inour experiments. Each cell has the accumulated time, in seconds, used by eachsolver to solve a family of benchmarks. It does not include the time spent ininstances where the solver produced the unknown result. A solver is consid-ered to have produced the unknown result when it times out or crashes. Thenumber of unknown results is displayed using parenthesis. MathSAT-dtc denotesthe MathSAT solver with the command line option -DTC that forces it to useDelayed Theory Combination. We used Yices version 1.0.8 in the experiments.Yices is also based on DTC, but the shared equalities are lazily generated, and ituses a filtering mechanism to avoid the generation of unnecessary shared equali-ties [11]. Yices and Z3 implement Dynamic Ackermannization suggested in [11].Six different versions of our Z3 solver were used: Z3-dtc uses delayed theorycombination and the additional equalities between shared variables are eagerlygenerated; Z3-dtc* is similar to Z3-dtc but uses the current model to implementa branching heuristic for the generated equalities; Z3-ack uses Ackermann’s re-duction as a pre-processing step; Z3-neq, Z3-ndack and Z3 all use Model BasedTheory Combination, but Z3-neq does not use opportunistic equality propaga-tion, and Z3-ndack does not use Dynamic Ackermannization. Notice that ourimplementation of Z3-dtc does not include several optimizations that may beuseful for a DTC framework. It does not take advantage of theory propagationfor arithmetic.

The benchmarks in the EufLaArithmetic family are trivial if the linear arith-metic solver performs some form of opportunistic equality propagation. The

1 http://research.microsoft.com/˜leonardo/SMT07

Simple family described above was used to demonstrate that DTC is not robust.Yices performs poorly on most satisfiable instances in the RandomCoupled andRandomDecoupled families.

# MathSAT MathSAT-dtc Yices Z3

EufLaArithmetic 52 1851.50 (11) 785.87 (1) 10.45 17.34Hash 199 520.90 19.39 11.48 6.54

Wisa 256 886.36 (1) 6916.18 4.37 2.78

RandomCoupled 400 517.05 518.15 9516.11 (51) 56.16

RandomDecoupled 500 11989.60 (1) 97.07 19362.40 (51) 41.95

Simple (5) 98 1366.33 7053.98 (29) 2328.63 (53) 1.00

Ackermann (3) 99 228.49 (82) 344.00 (82) 2.99 1.72

Total 1604 17360.23 (95) 15734.64 (112) 31236.43 (155) 127.49

Table 1. Experimental results

# Z3-dtc Z3-dtc* Z3-ack Z3-neq Z3-ndack Z3

EufLaArithmetic 52 796.71 (11) 2830.38 (4) 1094.47 (1) 786.15 11.56 17.34Hash 199 310.10 305.75 23.68 5.89 6.02 6.54Wisa 256 364.71 385.06 12.31 4.89 2.40 2.78RandomCoupled 400 8122.45 (166) 12451.82 (103) 101.24 56.45 56.65 56.16

RandomDecoupled 500 12421.30 (85) 15316.60 (71) 56.54 51.23 48.39 41.95

Simple (5) 98 7.26 7.34 33.89 0.45 1.00 1.00Ackermann (3) 99 728.22 (77) 733.58 (77) 37.99 1.74 874.21 (77) 1.72

Total 1604 22750.75 (339) 32030.53 (255) 1360.12 (1) 906.78 1000.23 (77) 127.49

Table 2. Experimental results (only Z3)

Model based theory combination seems to be more robust than DTC orAckermann’s reduction. In these benchmarks, the average number of sharedequalities propagated by Z3 using M-Propagate was 2.46. The maximum was57.

7 Conclusions

This paper introduced a new approach for dealing with equality propagationin the context of convex theories where equality deduction is expensive andmore generally, in the context of non-convex theories. Both in theory, and as wevalidated experimentally, the approach solves a number of practical deficiencieswith other known solutions to integrating theories.

Model-based Theory Combination requires that a decidable theory maintains

a notion of a model that supports efficiently answering queries of the form uM =

vM.

7.1 On the significance of Ackermann’s reduction

The Wisa benchmark set is used in [13] to illustrate the usefulness of Ackermann’sreduction in contrast with DTC. With Model-based Theory Combination, Ack-ermann’s reduction does not help on these set of benchmarks. We thereforebelieve they reflect more the problems with DTC than the advantages of Ack-ermann’s reduction. On the other hand, the synthetic Ackermann benchmarks,one can observe the utility of the reduction. Dynamic Ackermann reduction isnot without an overhead: new literals are added to the search space, and thenew literals cause T-Propagate to spend additional overhead of walking use-lists.Future work includes investigating whether it is a practical advantage to buildin the propagation directly into a congruence closure algorithm.

7.2 Are theories amenable to Model-based combinations?

Our main example of a model producing theory solver was a classical Simplexsolver. We are experimenting with adding model-based solvers to other theories,and we hope to be reporting on our findings in future work.

8 Acknowledgment

The authors would like to thank Alberto Griggio for providing the latest versionof MathSAT and adding a command line option for enabling Delayed TheoryCombination.

References

1. Bozzano, M., Bruttomesso, R., Cimatti, A., Junttila, T.A., van Rossum, P., Schulz,S., Sebastiani, R.: The MathSAT 3 System. In Nieuwenhuis, R., ed.: CADE.Volume 3632 of Lecture Notes in Computer Science., Springer (2005) 315–321

2. Oppen, D.C.: Complexity, convexity and combinations of theories. Theor. Comput.Sci. 12 (1980) 291–302

3. Nelson, G., Oppen, D.C.: Simplification by cooperating decision procedures. ACMTransactions on Programming Languages and Systems 1 (1979) 245–257

4. Shostak, R.E.: Deciding combinations of theories. J. ACM 31 (1984) 1–125. Rueß, H., Shankar, N.: Solving linear arithmetic constraints. Technical Report

SRI-CSL-04-01, SRI International (2004)6. Detlefs, D., Nelson, G., Saxe, J.B.: Simplify: a theorem prover for program check-

ing. J. ACM 52 (2005) 365–4737. Bozzano, M., Bruttomesso, R., Cimatti, A., Junttila, T.A., Ranise, S., van Rossum,

P., Sebastiani, R.: Efficient theory combination via boolean search. Inf. Comput.204 (2006) 1493–1525

8. Bruttomesso, R., Cimatti, A., Franzen, A., Griggio, A., Sebastiani, R.: DelayedTheory Combination vs. Nelson-Oppen for Satisfiability Modulo Theories: A Com-parative Analysis. In: LPAR. (2006) 527–541

9. Barrett, C., Tinelli, C.: CVC3. In: CAV ’07. (2007) to appear.10. Flanagan, C., Joshi, R., Saxe, J.B.: An explicating theorem prover for quantified

formulas. Technical Report HPL-2004-199, HP Laboratories, Palo Alto (2004)11. Dutertre, B., de Moura, L.: The Yices SMT Solver. http://yices.csl.sri.com/tool-

paper.pdf (2006)12. Ackermann, W.: Solvable cases of the decision problem. Studies in Logic and the

Foundation of Mathematics (1954)13. Bruttomesso, R., Cimatti, A., Franzen, A., Griggio, A., Santuari, A., Sebastiani,

R.: To Ackermann-ize or Not to Ackermann-ize? On Efficiently Handling Uninter-preted Function Symbols in UF(E). In: LPAR. (2006) 557–571

14. Nieuwenhuis, R., Oliveras, A.: Fast Congruence Closure and Extensions. Inf.Comput. 2005 (2007) 557–580

15. Ganzinger, H., Hagen, G., Nieuwenhuis, R., Oliveras, A., Tinelli, C.: DPLL(T):Fast decision procedures. In: CAV 04. LNCS 3114 (2004) 175–188

16. Nieuwenhuis, R., Oliveras, A., Tinelli, C.: Solving SAT and SAT Modulo Theories:From an abstract Davis–Putnam–Logemann–Loveland procedure to DPLL(T). J.ACM 53 (2006) 937–977

17. Dutertre, B., de Moura, L.: A Fast Linear-Arithmetic Solver for DPLL(T). In:CAV’06. LNCS 4144, Springer-Verlag (2006) 81–94

18. Sheini, H.M., Sakallah, K.A.: SMT(LU): a step toward scalability in system veri-fication. In Hassoun, S., ed.: ICCAD, ACM (2006) 844–851

A A presentation of DPLL(T M)

Fig. 2 repeats from [16] the presentation of DPLL(T ) as an abstract transitionsystem. We have added M to each sequent to emphasize that the current stateduring proof-search also carries a model. In contrast to [16], we use a set L ofliterals to choose case split candidates from. We assume L is a super-set of theliterals occurring in the set of clauses F . Besides the fresh equality literals in-troduced by the rule M-Propagate, non-convex theory implementations, such asan integer linear solver may introduce fresh literals as a side-effect of performingbranch-and bound search.

UnitPropagate

M, Γ ||F, C ∨ ` =⇒ M, Γ ` ||F, C ∨ ` if

{

Γ |= ¬C

` is undefined in Γ

Decide

M, Γ ||F =⇒ M, Γ `d ||F if

{

` occurs in L` is undefined in Γ

Fail

M, Γ ||F, C =⇒ fail if

{

Γ |= ¬C

Γ contains no decision variables

Backjump

M, Γ `dΓ ′ ||F, C =⇒ M, Γ `′ ||F, C if

Γ`dΓ ′ |= ¬C,

there is a clause C′ ∨ `′ such thatF, C |= C′ ∨ `′ and Γ |= ¬C′;`′ is undefined in Γ ;

`′ or ¬`′ occurs in F or in `dΓ ′

T-Propagate

M, Γ ||F =⇒ M, Γ ` ||F if

Γ |=T `

` occurs in L` is undefined in Γ

Learn

M, Γ ||F =⇒ M, Γ ||F, C if

{

all atoms of C occur in LF |=T C

Forget

M, Γ ||F, C =⇒ M, Γ ||F, C if{

F |=T C

Restart

M, Γ ||F =⇒ M, ∅ ||F

Fig. 2. DPLL with exhaustive theory propagation

Solving Quantified Verification Conditions using

Satisfiability Modulo Theories ? ??

Yeting Ge1, Clark Barrett1, and Cesare Tinelli2

1New York University, yeting|barrett@cs.nyu.edu2The University of Iowa, tinelli@cs.uiowa.edu

Abstract. First order logic provides a convenient formalism for describ-ing a wide variety of verification conditions. Two main approaches tochecking such conditions are pure first order automated theorem proving(ATP) and automated theorem proving based on satisfiability modulotheories (SMT). Traditional ATP systems are designed to handle quan-tifiers easily, but often have difficulty reasoning with respect to theories.SMT systems, on the other hand, have built-in support for many usefultheories, but have a much more difficult time with quantifiers. One clueon how to get the best of both worlds can be found in the legacy systemSimplify which combines built-in theory reasoning with quantifier in-stantiation heuristics. Inspired by Simplify and motivated by a desire toprovide a competitive alternative to ATP systems, this paper describes amethodology for reasoning about quantifiers in SMT systems. We presentthe methodology in the context of the Abstract DPLL Modulo Theoriesframework. Besides adapting many of Simplify’s techniques, we also in-troduce a number of new heuristics. Most important is the notion ofinstantiation level which provides an effective mechanism for prioritizingand managing the large search space inherent in quantifier instantiationtechniques. These techniques have been implemented in the SMT systemCVC3. Experimental results show that our methodology enables CVC3to solve a significant number of benchmarks that were not solvable withany previous approach.

? This work was partially supported by a donation from Intel Corp. and by the Na-tional Science Foundation grant number 0551645.

?? This paper will appear in the Proceedings of 21st Conference on Automated Deduc-tion (CADE-21)

Combination Methods for

Model-Checking of Infinite-State Systems ∗

Silvio Ghilardi1, Enrica Nicolini2, Silvio Ranise2, and Daniele Zucchelli1,2

1 Dip. di Informatica, Universita degli Studi di Milano (Italia)2 LORIA & INRIA-Lorraine, Nancy (France)

Abstract

Manna and Pnueli have extensively shown how a mixture of first-order logic (FOL) and discrete Linear time Temporal Logic (LTL) issufficient to precisely state verification problems for the class of re-active systems. Theories in FOL model the (possibly infinite) datastructures used by a reactive system while LTL specifies its (dynamic)behavior. In this paper, we give a decidability result for the model-checking of safety properties by lifting combination methods for (non-disjoint) theories in FOL. The proof suggests how decision proceduresfor the constraint satisfiability problem of theories in FOL and theexploration of a safety graph (associated to the system) can be inte-grated. This paves the way to employ efficient Satisfiability ModuloTheories solvers in the model-checking of infinite state systems. Weillustrate our technique on an example.

∗An extended version of this paper entitled “Combination Methods for Satisfiability and

Model-Checking of Infinite-State Systems” will appear in the proceedings of CADE’07.

Deciding Unbounded Heaps in an SMT Framework

Zvonimir Rakamaric2, Roberto Bruttomesso1, Alan J. Hu2, and Alessandro Cimatti1

1 ITC-IRST, Povo, Trento, Italy{bruttomesso,cimatti}@itc.it

2 Department of Computer Science, University of British Columbia, Canada{zrakamar,ajh}@cs.ubc.ca

Abstract. Satisfiability Modulo Theories(SMT) solvers have had great successin many different applications. The main reasons for this success are their effi-ciency and their support for the diverse theories that are required in different do-mains. Software verification has been a promising domain forSMT solvers, butverifying general software requires reasoning about unbounded linked heap datastructures, including a theory that supports unbounded reachability. So far, noneof the available SMT solvers supports such a theory. In this paper, we present ourexperience with integrating a decision procedure that supports unbounded heapreachability into an available SMT solver. Using the extended SMT solver, wecan efficiently verify examples of heap-manipulating programs that we could notverify before.

Efficient E-matching for SMT Solvers?

Leonardo de Moura and Nikolaj Bjørner

Microsoft Research, One Microsoft Way, Redmond, WA, 98072, USA{leonardo, nbjorner}@microsoft.com

Abstract. Satisfiabilty Modulo Theories (SMT) solvers have provenhighly scalable, efficient and suitable for integrating theory reasoning.However, for numerous applications from program analysis and verifi-cation, the ground fragment is insufficient. A well known approach forquantifier reasoning uses a matching algorithm that works against anE-graph to instantiate quantified variables. This paper introduces algo-rithms that identify matches on E-graphs incrementally and efficiently.Experimental results show substantial performance improvements overexisting state-of-the-art SMT solvers.

? An extended version of this paper will appear in the proceeding of CADE’07