A propositional world

1 / 31

# A propositional world - PowerPoint PPT Presentation

A propositional world. Ofer Strichman Joint work with Randal Bryant and Sanjit Seshia School of Computer Science, Carnegie Mellon University. Integrated decision procedures in Theorem-Provers. Deciding a combination of theories is the key for automation in Theorem Provers:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' A propositional world' - august-lester

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### A propositional world

Ofer Strichman

Joint work with

Randal Bryant and Sanjit Seshia

School of Computer Science, Carnegie Mellon University

Integrated decision procedures in Theorem-Provers

Deciding a combination of theories is the key for automation

in Theorem Provers:

Boolean operators, Bit-vector, Sets, Linear-Arithmetic,

Uninterpreted functions, More …

Bit-Vector

operators

Linear Arithmetic

Uninterpreted functions

f(f(x)-f(y)) != f(z) & y <=x + 2 | b & 3 > 10

Normally, each theory is solved with its own decision procedure and

the results are combined (Shostak, Nelson..).

Integrated decision procedures in Theorem-Provers

All of these theories, except linear arithmetic, have known

efficient direct reductions to propositional logic.

Thus, reducing linear arithmetic to propositional logic will:

1. Enable integration of theories in the propositional logic level.

2. Potentially be faster than known techniques.

Linear Arithmetic and its sub-theories

2x –3y +5z < 0

5x + 2w 2

• Some useful methods for solving a conjunction of linear
• arithmetic expressions:
• Simplex, Elliptic curve
• Variable Elimination Methods (Hodes, Fourier-Motzkin,..)
• Shostak’sloop residues
• Separation theory: Bellman / Pratt ...
• ...

x

3

1

z

y

-1

A decision procedure for separation theory

Separation predicates have the form x > y + c

where x,y are real variables, and c is a constant

Pratt [73] (/Bellman[57]):

Given a set of conjuncted separation predicates 

1. Construct the `inequality graph’

2.  is satisfiable iff there is no cycle with non-negative accumulated weight

: (x > z +3 z>y –1 y > x+1)

Handling disjunctions through case splitting
• All previously mentioned algorithms handle disjunctions
• by splitting the formula.
• This can be thought of as a two stage process:
• Convert formula to Disjunctive Normal Form (DNF)
• Solve each clause separately, until satisfying one of them.

(A common improvement: split ‘when needed’)

Case splitting is frequently the bottleneck of the procedure

So what can be done against case-splitting ?

Answer: Split the domain, not the formula.

Given a formula , this transformation can be done if

’ s.t. |= |=’, and ’ is decidable under a finite domain.

• When is this possible?
•  enjoys the ‘Small model property’, or
SAT vs. infinite-state decision procedures

With finite instantiation (e.g. SAT), we split the domain.

Infinite state decision procedures split the formula.

So what’s the big difference ?

1. Pruning.

2. Learning.

3. Guidance (prioritizing internal steps)

SAT vs. infinite-state decision procedures

Three mechanisms, crucial for efficient decision making:

SAT has a significant advantage in all three.

x

0

1

.

(x  y)

.

.

Backtrack

y

1

0

Pruned!

SAT vs. infinite-state decision procedures (1/4)

1. Pruning

SAT: each clause c prunes

up to 2|v|-|c| states.

|v|=1000, |c| =2

Pruning 2998states

Others: ? (stops when finds a satisfiable clause)

SAT vs. infinite-state decision procedures (2/4)

2. Learning

SAT: Partial assignments that lead to a conflict are recorded and

hence not repeated.

Others: (depends on decision procedure)

- Adding proved sub-goals as antecedents to new sub-goals

- …

SAT vs. infinite-state decision procedures (3/4)

3. Guidance (prioritizing internal steps)

Consider 1 2, where 1is unsat and hard, and 2is sat and easy.

With proper guidance, a theorem prover should start from 2.

Guidance requires efficient estimation:

- How hard it is to solve each sub-formula?

- To what extent will it simplify the rest of the proof?

SAT vs. infinite-state decision procedures (4/4)

3. Guidance (cont’d)

“..To what extent will it simplify the rest of the proof?”

SAT: Guidance through decision heuristics (e.g. DLIS).

(x  y  z)

(x  v)

(~x  ~z)

Estimating simplification by counting literals

in each phase

Others: Expression ordering, ...

Example: Equality Logic with Uninterpreted Functions (1/3)

Equality Logic with Uninterpreted Functions:

(Uninterpreted functions are reducible to equality logic. Thus, we

can concentrate on equality logic)

Congruence Closurewith case splitting.

Example: Equality Logic (2/3)
• Since 1998, several groups devised finite-state decision procedures
• for this theory:
• Goel et. al. (CAV’98) – Boolean encoding and BDDs
• Bryant et. al.(CAV’99) – Positive-equality + finite instantiation
• Pnueli et. al. (CAV’99) – Small domains instantiation
• Bryant et. al.(CAV’00) – Boolean encoding with explicit constraints

x

exz

exy

z

y

eyz

Example: Equality Logic (3/3)

Bryant et. al. (CAV’00): Add transitivity constraints to the formula.

Let (x=y, y=z, x=z) be the equality predicates in .

1. Construct the equality graph.

2. Impose transitivity on cycles:

exy + eyz +exz  2

The resulting formula is propositional BDDs , SAT, etc.

This work

Extends the results of Bryant et.al. to a Boolean combination of:

• Separation predicates:
• Separation predicates for integers:
• Linear arithmetic:
• Integer linear arithmetic:

Done

Usability

Separation predicates:

“Most verification conditions involving inequalities are

separation predicates” [Pratt, 1973]:

Array bounds checks, tests on index variables, timing constraints,

worst execution time analysis, etc.

Linear arithmetic: All of the above + …

+ Linear programming,

+ Integer Linear programming.

Reducing separation predicates to propositional logic (1/6)

A. Normalize (example):

: f(x) > f(y+1)

1. Uninterpreted functions  equality logic

: (x=y+1f1=f2)(f1>f2)

2. Normal form

xy+1

f1=f2

: (x>y+1 y>x-1(f1 f2 f2 f1)) (f1>f2)

Now  has no negations and only the ‘>’ and ‘’ predicate symbols.

x

3

1

z

y

-1

x

-3

-1

z

y

1

Reducing separation predicates to propositional logic (3/6)

B. Encode + construct graph (example):

: (x > z +3  (z>y –1 yx+1))

Transitivity

constraints

))

(

’:

(

and its

dual:

Separation

graph:

x

3

1

z

y

-1

x

-3

-1

z

y

1

Reducing separation predicates to propositional logic (5/6)

C. Add transitivity constraints for each simple cycle (example):

Transitivity

constraints

))

(

(

’:

((

))

))

(

(

’:

.....

.....

Compact representation of constraints (1/4)

n diamonds  2nsimple cycles.

Can we do better than that ?

In most cases - yes.

e.g. If the diamonds are ‘balanced’ (c1 +c2 =c3 +c4)  O(n) constraints

c2

c1

c1+ c2

c4

c3

Compact representation of constraints (2/4)

Chordal graphs: each cycle of size greater than 3, has a ‘chord’.

G:

In the equality predicates case:

Let C be a cycle in G

Let  be an assignment that violates C’s transitivity ( |C)

Theorem: there exists a cycle c of size 3 in G s.t.  | c

Conclusion: add transitivity constraints only for triangles.

Now only a polynomial no. of constraints is required.

c2

c1

c1+ c2

c3

c4

c5

Compact representation of constraints (3/4)
• Our case is more complicated:
• G is directed
• G is a multi-graph
• Edges have weights
• There are two types of edges

G is chordal iff:

Every directed cycle of size greater than 3 has a chord which ‘accumulates’ the weight of the path between its ends.

.....

2. If there are uniform weights c1 and c2, c1c2 on top and bottom

paths  O(n2) constraints

c1

c1

c1

c1

c2

c2

c2

c2

Compact representation of constraints (4/4)

Complexity of making the graph chordal:

1. If the diamonds are ‘balanced’  O(n) constraints

3. Worst case  O(2n)

Extension to integer variables (1/2)

(c is an integer)

Given  with integer separation predicates, derive R:

• Declare all variables as real.
• For each predicate x>y + c, add a constraint
• x > y + c  x y + c + 1

Theorem:  is satisfiable iff R is satisfiable

Experimental results (1/3)

d=2

.....

n diamonds

Each diamond has 2d edges

Top and bottom paths in each diamond are disjuncted.

There are 2nconjuncted cycles.

By adjusting the weights, we ensured that there is a single

satisfying assignment.

Experimental results (2/3)

To be continued...

Experimental results (3/3)

To be continued...

The procedure has recently been integrated into SyMP and Euclid.

We currently experiment with real software verification problems.

c1

c3

c2

Next: Linear Arithmetic (1/2)

Separation predicates:

c

x > y + c

y

x

Adding constraints according to accumulated cycle weight:

The testc1 + c2 + c3 > 0 results in a yes/no answer

x

2z + c

3

y

2

Next: Linear Arithmetic (2/2)

Linear Arithmetic:

2z + c

x > y + 2z + c

y

x

The test1 + 2 + 3 > 0 results in a new predicate!

Shostak[81]: ‘Deciding linear inequalities by computing loop residues’

- Determine a fixed variable order

- Represent each predicate by its two ‘highest’ variables

This procedure guarantees termination.