a propositional world
Download
Skip this Video
Download Presentation
A propositional world

Loading in 2 Seconds...

play fullscreen
1 / 31

A propositional world - PowerPoint PPT Presentation


  • 104 Views
  • Uploaded on

A propositional world. Ofer Strichman Joint work with Randal Bryant and Sanjit Seshia School of Computer Science, Carnegie Mellon University. Integrated decision procedures in Theorem-Provers. Deciding a combination of theories is the key for automation in Theorem Provers:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' A propositional world' - august-lester


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a propositional world

A propositional world

Ofer Strichman

Joint work with

Randal Bryant and Sanjit Seshia

School of Computer Science, Carnegie Mellon University

integrated decision procedures in theorem provers
Integrated decision procedures in Theorem-Provers

Deciding a combination of theories is the key for automation

in Theorem Provers:

Boolean operators, Bit-vector, Sets, Linear-Arithmetic,

Uninterpreted functions, More …

Bit-Vector

operators

Linear Arithmetic

Uninterpreted functions

f(f(x)-f(y)) != f(z) & y <=x + 2 | b & 3 > 10

Normally, each theory is solved with its own decision procedure and

the results are combined (Shostak, Nelson..).

integrated decision procedures in theorem provers1
Integrated decision procedures in Theorem-Provers

All of these theories, except linear arithmetic, have known

efficient direct reductions to propositional logic.

Thus, reducing linear arithmetic to propositional logic will:

1. Enable integration of theories in the propositional logic level.

2. Potentially be faster than known techniques.

linear arithmetic and its sub theories
Linear Arithmetic and its sub-theories

2x –3y +5z < 0

5x + 2w 2

  • Some useful methods for solving a conjunction of linear
  • arithmetic expressions:
  • Simplex, Elliptic curve
  • Variable Elimination Methods (Hodes, Fourier-Motzkin,..)
  • Shostak’sloop residues
  • Separation theory: Bellman / Pratt ...
  • ...
a decision procedure for separation theory

x

3

1

z

y

-1

A decision procedure for separation theory

Separation predicates have the form x > y + c

where x,y are real variables, and c is a constant

Pratt [73] (/Bellman[57]):

Given a set of conjuncted separation predicates 

1. Construct the `inequality graph’

2.  is satisfiable iff there is no cycle with non-negative accumulated weight

: (x > z +3 z>y –1 y > x+1)

handling disjunctions through case splitting
Handling disjunctions through case splitting
  • All previously mentioned algorithms handle disjunctions
  • by splitting the formula.
  • This can be thought of as a two stage process:
    • Convert formula to Disjunctive Normal Form (DNF)
    • Solve each clause separately, until satisfying one of them.

(A common improvement: split ‘when needed’)

Case splitting is frequently the bottleneck of the procedure

so what can be done against case splitting
So what can be done against case-splitting ?

Answer: Split the domain, not the formula.

Given a formula , this transformation can be done if

’ s.t. |= |=’, and ’ is decidable under a finite domain.

  • When is this possible?
  •  enjoys the ‘Small model property’, or
  • Tailor-made reduction
sat vs infinite state decision procedures
SAT vs. infinite-state decision procedures

With finite instantiation (e.g. SAT), we split the domain.

Infinite state decision procedures split the formula.

So what’s the big difference ?

sat vs infinite state decision procedures1

1. Pruning.

2. Learning.

3. Guidance (prioritizing internal steps)

SAT vs. infinite-state decision procedures

Three mechanisms, crucial for efficient decision making:

SAT has a significant advantage in all three.

sat vs infinite state decision procedures 1 4

x

0

1

.

(x  y)

.

.

Backtrack

y

1

0

Pruned!

SAT vs. infinite-state decision procedures (1/4)

1. Pruning

SAT: each clause c prunes

up to 2|v|-|c| states.

|v|=1000, |c| =2

Pruning 2998states

Others: ? (stops when finds a satisfiable clause)

sat vs infinite state decision procedures 2 4
SAT vs. infinite-state decision procedures (2/4)

2. Learning

SAT: Partial assignments that lead to a conflict are recorded and

hence not repeated.

Others: (depends on decision procedure)

- Adding proved sub-goals as antecedents to new sub-goals

- …

sat vs infinite state decision procedures 3 4
SAT vs. infinite-state decision procedures (3/4)

3. Guidance (prioritizing internal steps)

Consider 1 2, where 1is unsat and hard, and 2is sat and easy.

With proper guidance, a theorem prover should start from 2.

Guidance requires efficient estimation:

- How hard it is to solve each sub-formula?

- To what extent will it simplify the rest of the proof?

sat vs infinite state decision procedures 4 4
SAT vs. infinite-state decision procedures (4/4)

3. Guidance (cont’d)

“..To what extent will it simplify the rest of the proof?”

SAT: Guidance through decision heuristics (e.g. DLIS).

(x  y  z)

(x  v)

(~x  ~z)

Estimating simplification by counting literals

in each phase

Others: Expression ordering, ...

example equality logic with uninterpreted functions 1 3
Example: Equality Logic with Uninterpreted Functions (1/3)

Equality Logic with Uninterpreted Functions:

(Uninterpreted functions are reducible to equality logic. Thus, we

can concentrate on equality logic)

Traditional infinite-state decision procedure:

Congruence Closurewith case splitting.

example equality logic 2 3
Example: Equality Logic (2/3)
  • Since 1998, several groups devised finite-state decision procedures
  • for this theory:
  • Goel et. al. (CAV’98) – Boolean encoding and BDDs
  • Bryant et. al.(CAV’99) – Positive-equality + finite instantiation
  • Pnueli et. al. (CAV’99) – Small domains instantiation
  • Bryant et. al.(CAV’00) – Boolean encoding with explicit constraints
example equality logic 3 3

x

exz

exy

z

y

eyz

Example: Equality Logic (3/3)

Bryant et. al. (CAV’00): Add transitivity constraints to the formula.

Let (x=y, y=z, x=z) be the equality predicates in .

1. Construct the equality graph.

2. Impose transitivity on cycles:

exy + eyz +exz  2

The resulting formula is propositional BDDs , SAT, etc.

this work
This work

Extends the results of Bryant et.al. to a Boolean combination of:

  • Separation predicates:
  • Separation predicates for integers:
  • Linear arithmetic:
  • Integer linear arithmetic:

Done

usability
Usability

Separation predicates:

“Most verification conditions involving inequalities are

separation predicates” [Pratt, 1973]:

Array bounds checks, tests on index variables, timing constraints,

worst execution time analysis, etc.

Linear arithmetic: All of the above + …

+ Linear programming,

+ Integer Linear programming.

reducing separation predicates to propositional logic 1 6
Reducing separation predicates to propositional logic (1/6)

A. Normalize (example):

: f(x) > f(y+1)

1. Uninterpreted functions  equality logic

: (x=y+1f1=f2)(f1>f2)

2. Normal form

xy+1

f1=f2

: (x>y+1 y>x-1(f1 f2 f2 f1)) (f1>f2)

Now  has no negations and only the ‘>’ and ‘’ predicate symbols.

reducing separation predicates to propositional logic 3 6

x

3

1

z

y

-1

x

-3

-1

z

y

1

Reducing separation predicates to propositional logic (3/6)

B. Encode + construct graph (example):

: (x > z +3  (z>y –1 yx+1))

Transitivity

constraints

))

(

’:

(

and its

dual:

Separation

graph:

reducing separation predicates to propositional logic 5 6

x

3

1

z

y

-1

x

-3

-1

z

y

1

Reducing separation predicates to propositional logic (5/6)

C. Add transitivity constraints for each simple cycle (example):

Transitivity

constraints

))

(

(

’:

((

))

))

(

(

’:

compact representation of constraints 1 4

.....

.....

Compact representation of constraints (1/4)

n diamonds  2nsimple cycles.

Can we do better than that ?

In most cases - yes.

e.g. If the diamonds are ‘balanced’ (c1 +c2 =c3 +c4)  O(n) constraints

c2

c1

c1+ c2

c4

c3

compact representation of constraints 2 4
Compact representation of constraints (2/4)

Chordal graphs: each cycle of size greater than 3, has a ‘chord’.

G:

In the equality predicates case:

Let C be a cycle in G

Let  be an assignment that violates C’s transitivity ( |C)

Theorem: there exists a cycle c of size 3 in G s.t.  | c

Conclusion: add transitivity constraints only for triangles.

Now only a polynomial no. of constraints is required.

compact representation of constraints 3 4

c2

c1

c1+ c2

c3

c4

c5

Compact representation of constraints (3/4)
  • Our case is more complicated:
  • G is directed
  • G is a multi-graph
  • Edges have weights
  • There are two types of edges

G is chordal iff:

Every directed cycle of size greater than 3 has a chord which ‘accumulates’ the weight of the path between its ends.

compact representation of constraints 4 4

.....

2. If there are uniform weights c1 and c2, c1c2 on top and bottom

paths  O(n2) constraints

c1

c1

c1

c1

c2

c2

c2

c2

Compact representation of constraints (4/4)

Complexity of making the graph chordal:

1. If the diamonds are ‘balanced’  O(n) constraints

3. Worst case  O(2n)

extension to integer variables 1 2
Extension to integer variables (1/2)

(c is an integer)

Given  with integer separation predicates, derive R:

  • Declare all variables as real.
  • For each predicate x>y + c, add a constraint
  • x > y + c  x y + c + 1

Theorem:  is satisfiable iff R is satisfiable

experimental results 1 3
Experimental results (1/3)

d=2

.....

n diamonds

Each diamond has 2d edges

Top and bottom paths in each diamond are disjuncted.

There are 2nconjuncted cycles.

By adjusting the weights, we ensured that there is a single

satisfying assignment.

experimental results 2 3
Experimental results (2/3)

To be continued...

experimental results 3 3
Experimental results (3/3)

To be continued...

The procedure has recently been integrated into SyMP and Euclid.

We currently experiment with real software verification problems.

next linear arithmetic 1 2

c1

c3

c2

Next: Linear Arithmetic (1/2)

Separation predicates:

c

x > y + c

y

x

Adding constraints according to accumulated cycle weight:

The testc1 + c2 + c3 > 0 results in a yes/no answer

next linear arithmetic 2 2

x

2z + c

3

y

2

Next: Linear Arithmetic (2/2)

Linear Arithmetic:

2z + c

x > y + 2z + c

y

x

The test1 + 2 + 3 > 0 results in a new predicate!

Shostak[81]: ‘Deciding linear inequalities by computing loop residues’

- Determine a fixed variable order

- Represent each predicate by its two ‘highest’ variables

This procedure guarantees termination.

ad