A propositional world. Ofer Strichman Joint work with Randal Bryant and Sanjit Seshia School of Computer Science, Carnegie Mellon University. Integrated decision procedures in Theorem-Provers. Deciding a combination of theories is the key for automation in Theorem Provers:
Joint work with
Randal Bryant and Sanjit Seshia
School of Computer Science, Carnegie Mellon University
Deciding a combination of theories is the key for automation
in Theorem Provers:
Boolean operators, Bit-vector, Sets, Linear-Arithmetic,
Uninterpreted functions, More …
f(f(x)-f(y)) != f(z) & y <=x + 2 | b & 3 > 10
Normally, each theory is solved with its own decision procedure and
the results are combined (Shostak, Nelson..).
All of these theories, except linear arithmetic, have known
efficient direct reductions to propositional logic.
Thus, reducing linear arithmetic to propositional logic will:
1. Enable integration of theories in the propositional logic level.
2. Potentially be faster than known techniques.
2x –3y +5z < 0
5x + 2w 2
-1A decision procedure for separation theory
Separation predicates have the form x > y + c
where x,y are real variables, and c is a constant
Pratt  (/Bellman):
Given a set of conjuncted separation predicates
1. Construct the `inequality graph’
2. is satisfiable iff there is no cycle with non-negative accumulated weight
: (x > z +3 z>y –1 y > x+1)
(A common improvement: split ‘when needed’)
Case splitting is frequently the bottleneck of the procedure
Answer: Split the domain, not the formula.
Given a formula , this transformation can be done if
’ s.t. |= |=’, and ’ is decidable under a finite domain.
With finite instantiation (e.g. SAT), we split the domain.
Infinite state decision procedures split the formula.
So what’s the big difference ?
3. Guidance (prioritizing internal steps)SAT vs. infinite-state decision procedures
Three mechanisms, crucial for efficient decision making:
SAT has a significant advantage in all three.
Pruned!SAT vs. infinite-state decision procedures (1/4)
SAT: each clause c prunes
up to 2|v|-|c| states.
|v|=1000, |c| =2
Others: ? (stops when finds a satisfiable clause)
SAT: Partial assignments that lead to a conflict are recorded and
hence not repeated.
Others: (depends on decision procedure)
- Adding proved sub-goals as antecedents to new sub-goals
3. Guidance (prioritizing internal steps)
Consider 1 2, where 1is unsat and hard, and 2is sat and easy.
With proper guidance, a theorem prover should start from 2.
Guidance requires efficient estimation:
- How hard it is to solve each sub-formula?
- To what extent will it simplify the rest of the proof?
3. Guidance (cont’d)
“..To what extent will it simplify the rest of the proof?”
SAT: Guidance through decision heuristics (e.g. DLIS).
(x y z)
Estimating simplification by counting literals
in each phase
Others: Expression ordering, ...
Equality Logic with Uninterpreted Functions:
(Uninterpreted functions are reducible to equality logic. Thus, we
can concentrate on equality logic)
Traditional infinite-state decision procedure:
Congruence Closurewith case splitting.
eyzExample: Equality Logic (3/3)
Bryant et. al. (CAV’00): Add transitivity constraints to the formula.
Let (x=y, y=z, x=z) be the equality predicates in .
1. Construct the equality graph.
2. Impose transitivity on cycles:
exy + eyz +exz 2
The resulting formula is propositional BDDs , SAT, etc.
Extends the results of Bryant et.al. to a Boolean combination of:
“Most verification conditions involving inequalities are
separation predicates” [Pratt, 1973]:
Array bounds checks, tests on index variables, timing constraints,
worst execution time analysis, etc.
Linear arithmetic: All of the above + …
+ Linear programming,
+ Integer Linear programming.
A. Normalize (example):
: f(x) > f(y+1)
1. Uninterpreted functions equality logic
2. Normal form
: (x>y+1 y>x-1(f1 f2 f2 f1)) (f1>f2)
Now has no negations and only the ‘>’ and ‘’ predicate symbols.
1Reducing separation predicates to propositional logic (3/6)
B. Encode + construct graph (example):
: (x > z +3 (z>y –1 yx+1))
1Reducing separation predicates to propositional logic (5/6)
C. Add transitivity constraints for each simple cycle (example):
.....Compact representation of constraints (1/4)
n diamonds 2nsimple cycles.
Can we do better than that ?
In most cases - yes.
e.g. If the diamonds are ‘balanced’ (c1 +c2 =c3 +c4) O(n) constraints
Chordal graphs: each cycle of size greater than 3, has a ‘chord’.
In the equality predicates case:
Let C be a cycle in G
Let be an assignment that violates C’s transitivity ( |C)
Theorem: there exists a cycle c of size 3 in G s.t. | c
Conclusion: add transitivity constraints only for triangles.
Now only a polynomial no. of constraints is required.
c5Compact representation of constraints (3/4)
G is chordal iff:
Every directed cycle of size greater than 3 has a chord which ‘accumulates’ the weight of the path between its ends.
2. If there are uniform weights c1 and c2, c1c2 on top and bottom
paths O(n2) constraints
c2Compact representation of constraints (4/4)
Complexity of making the graph chordal:
1. If the diamonds are ‘balanced’ O(n) constraints
3. Worst case O(2n)
(c is an integer)
Given with integer separation predicates, derive R:
Theorem: is satisfiable iff R is satisfiable
Each diamond has 2d edges
Top and bottom paths in each diamond are disjuncted.
There are 2nconjuncted cycles.
By adjusting the weights, we ensured that there is a single
To be continued...
To be continued...
The procedure has recently been integrated into SyMP and Euclid.
We currently experiment with real software verification problems.
c2Next: Linear Arithmetic (1/2)
x > y + c
Adding constraints according to accumulated cycle weight:
The testc1 + c2 + c3 > 0 results in a yes/no answer
2z + c
2Next: Linear Arithmetic (2/2)
2z + c
x > y + 2z + c
The test1 + 2 + 3 > 0 results in a new predicate!
Shostak: ‘Deciding linear inequalities by computing loop residues’
- Determine a fixed variable order
- Represent each predicate by its two ‘highest’ variables
This procedure guarantees termination.