- 24 Views
- Uploaded on
- Presentation posted in: General

Solvers: Equality and Arrays Lecture 4 2012

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Solvers: Equality and ArraysLecture 4 2012

Nikolaj Bjørner

Microsoft Research

DTU Winter course January 5th2012

- The theory of Un-interpreted functions
- The Theory of Arrays

- Theory of equality, un-interpreted functions and arrays
- Saturation-based decision procedures
- A common pattern
- Connections with algorithms used in program analysis
- Inference rule formulation
- Datalog formulation

- A reduction approach to decision procedures
- The theory of array reduces to theory of equalities/functions

Deciding

Equality

Reflexivity: t = t

Symmetry: t = s s = t

Transitivity: t = s s= u t = u

Congruence: t1= s1 .. tn =sn f(t1, …, tn) = f(s1, …, sn)

E – the (infinite) conjunction of these axioms

- E-satisfiability can be decided with a simple algorithm known as congruence closure.
- Congruence closure creates a finite quotient for DC(E + L).
- E – Equality axioms
- L – Literals: extra equalities in input

a = b, b = c, d = e, b = s, d = t, a e, a s

a

b

c

d

e

s

t

a = b, b = c, d = e, b = s, d = t, a e, a s

a

b

c

d

e

s

t

a = b, b = c, d = e, b = s, d = t, a e, a s

a,b

c

d

e

s

t

a = b, b = c, d = e, b = s, d = t, a e, a s

a,b

c

d

e

s

t

a = b, b = c, d = e, b = s, d = t, a e, a s

a,b,c

d

e

s

t

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c

d

e

s

t

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c

d,e

s

t

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c

d,e

s

t

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c,s

d,e

t

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c,s

d,e

t

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c,s

d,e,t

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c,s

d,e,t

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c,s

d,e,t

Unsatisfiable

a = b,b = c, d = e, b = s, d = t, a e

a,b,c,s

d,e,t

Model construction

a = b,b = c, d = e, b = s, d = t, a e

a,b,c,s

1

2

d,e,t

Model construction

- |M| = {1 ,2} (universe, aka domain)

a = b,b = c, d = e, b = s, d = t, a e

a,b,c,s

1

2

d,e,t

Model construction

- |M| = {1 ,2} (universe, aka domain)
- M(a) = 1 (assignment)

a = b,b = c, d = e, b = s, d = t, a e

a,b,c,s

1

2

d,e,t

Alternative notation:

- aM = 1

Model construction

- |M| = {1 ,2} (universe, aka domain)
- M(a) = 1 (assignment)

a = b,b = c, d = e, b = s, d = t, a e

a,b,c,s

1

2

d,e,t

Model construction

- |M| = {1 ,2} (universe, aka domain)
- M(a) = M(b) = M(c) = M(s) = 1
- M(d) = M(e) = M(t) = 2

- Termination: easy
- Soundness
- Invariant: all constants in a “ball” are known to be equal.
- The “ball” merge operation is justified by:
- Transitivity and Symmetry rules.

- Completeness
- We can build a model if an inconsistency was not detected.
- Proof template (by contradiction):
- Build a candidate model.
- Assume a literal was not satisfied.
- Find contradiction.

- Completeness
- We can build a model if an inconsistency was not detected.
- Instantiating the template for our procedure:
- Assume some literal c = d is not satisfied by our model.
- That is, M(c) ≠ M(d).
- This is impossible, c and d must be in the same “ball”.

c,d,…

i

M(c) = M(d) = i

- Completeness
- We can build a model if an inconsistency was not detected.
- Instantiating the template for our procedure:
- Assume some literal c ≠ d is not satisfied by our model.
- That is, M(c) = M(d).
- Key property: we only check the disequalities after we processed all equalities.
- This is impossible, c and d must be in the different “balls”

c,…

d,…

i

j

M(c) = i

M(d) = j

a = b,b = c, d = e, b = s, d = t, f(a, g(d)) f(b, g(e))

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, f(a, g(d)) f(b, g(e))

First Step: “Naming” subterms

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, f(a, v1) f(b, g(e))

v1 g(d)

First Step: “Naming” subterms

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, f(a, v1) f(b, g(e))

v1 g(d)

First Step: “Naming” subterms

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, f(a, v1) f(b, v2)

v1 g(d), v2 g(e)

First Step: “Naming” subterms

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, f(a, v1) f(b, v2)

v1 g(d), v2 g(e)

First Step: “Naming” subterms

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, v3 f(b, v2)

v1 g(d), v2 g(e), v3 f(a, v1)

First Step: “Naming” subterms

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, v3 f(b, v2)

v1 g(d), v2 g(e), v3 f(a, v1)

First Step: “Naming” subterms

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

First Step: “Naming” subterms

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

d,e,t

v2

v4

v1

v3

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

d,e,t

v2

v4

v1

v3

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
- d = e implies g(d) = g(e)

a = b,b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

d,e,t

v2

v4

v1

v3

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
- d = e implies v1= v2

We say:

- v1 and v2 are congruent.

a = b,b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

d,e,t

v4

v3

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
- d = e implies v1= v2

a = b,b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

d,e,t

v4

v3

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
- a = b, v1= v2implies f(a, v1) = f(b, v2)

a = b,b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

d,e,t

v4

v3

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
- a = b, v1= v2implies v3 = v4

a = b,b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

v3,v4

d,e,t

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
- a = b, v1= v2implies v3 = v4

a = b,b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

v3,v4

d,e,t

Unsatisfiable

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Changing the problem

a,b,c,s

v1,v2

v3,v4

d,e,t

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

v3,v4

d,e,t

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

v3,v4

d,e,t

Congruence Rule:

- x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

1

2

3

4

v3,v4

d,e,t

Model construction:

- |M| = {1 ,2 ,3 ,4}
- M(a) = M(b) = M(c) = M(s) = 1
- M(d) = M(e) = M(t) = 2
- M(v1) = M(v2) = 3
- M(v3) = M(v4) = 4

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

1

2

3

4

v3,v4

d,e,t

Model construction:

- |M| = {1 ,2 ,3 ,4}
- M(a) = M(b) = M(c) = M(s) = 1
- M(d) = M(e) = M(t) = 2
- M(v1) = M(v2) = 3
- M(v3) = M(v4) = 4

Missing:

Interpretation for f and g.

- Building the interpretation for function symbols
- M(g) is a mapping from |M| to |M|
- Defined as:
M(g)(i) = j if there is v g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise (k is an arbitrary element)

- Is M(g) well-defined?

- Building the interpretation for function symbols
- M(g) is a mapping from |M| to |M|
- Defined as:
M(g)(i) = j if there is v g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise (k is an arbitrary element)

- Is M(g) well-defined?
- Problem: we may have
v g(a) and w g(b) s.t.

M(a) = M(b) = 1 and M(v) = 2 ≠ 3 = M(w)

So, is M(g)(1) = 2 or M(g)(1) = 3?

- Problem: we may have

- Building the interpretation for function symbols
- M(g) is a mapping from |M| to |M|
- Defined as:
M(g)(i) = j if there is v g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise (k is an arbitrary element)

- Is M(g) well-defined?
- Problem: we may have
v g(a) and w g(b) s.t.

M(a) = M(b) = 1 and M(v) = 2 ≠ 3 = M(w)

So, is M(g)(1) = 2 or M(g)(1) = 3?

- Problem: we may have

This is impossible because of the congruence rule!

a and b are in the same “ball”, then so are v and w

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

1

2

3

4

v3,v4

d,e,t

Model construction:

- |M| = {1 ,2 ,3 ,4}
- M(a) = M(b) = M(c) = M(s) = 1
- M(d) = M(e) = M(t) = 2
- M(v1) = M(v2) = 3
- M(v3) = M(v4) = 4

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Model construction:

- |M| = {1 ,2 ,3 ,4}
- M(a) = M(b) = M(c) = M(s) = 1
- M(d) = M(e) = M(t) = 2
- M(v1) = M(v2) = 3
- M(v3) = M(v4) = 4

M(g)(i) = j if there is v g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Model construction:

- |M| = {1 ,2 ,3 ,4}
- M(a) = M(b) = M(c) = M(s) = 1
- M(d) = M(e) = M(t) = 2
- M(v1) = M(v2) = 3
- M(v3) = M(v4) = 4
- M(g) = {2 →3}

M(g)(i) = j if there is v g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Model construction:

- |M| = {1 ,2 ,3 ,4}
- M(a) = M(b) = M(c) = M(s) = 1
- M(d) = M(e) = M(t) = 2
- M(v1) = M(v2) = 3
- M(v3) = M(v4) = 4
- M(g) = {2 →3}

M(g)(i) = j if there is v g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Model construction:

- |M| = {1 ,2 ,3 ,4}
- M(a) = M(b) = M(c) = M(s) = 1
- M(d) = M(e) = M(t) = 2
- M(v1) = M(v2) = 3
- M(v3) = M(v4) = 4
- M(g) = {2 →3, else →1}

M(g)(i) = j if there is v g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise

a = b,b = c, d = e, b = s, d = t, a v4, v2 v3

v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)

Model construction:

- |M| = {1 ,2 ,3 ,4}
- M(a) = M(b) = M(c) = M(s) = 1
- M(d) = M(e) = M(t) = 2
- M(v1) = M(v2) = 3
- M(v3) = M(v4) = 4
- M(g) = {2 →3, else →1}
- M(f) = { (1 ,3)→4, else →1}

M(g)(i) = j if there is v g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise

What about predicates?

p(a, b), p(c, b)

What about predicates?

p(a, b), p(c, b)

- fp(a, b) = T, fp(c, b) ≠ T

- f(f(a)) = a, a f(a)

- Recall congruence rule:
- Congruence: t1= s1 .. tn =sn f(t1, …, tn) = f(s1, …, sn)

- Let G = (V,E) be a directed graph such that for each vertex v in G, the successors (children) of v are ordered.
- Let C be any equivalence relation on V.
- The congruence closure C* of C is the finest equivalence relation on V,
- that contains C : v C w then v C* w
- Closed: If
- children(v) = v1 ..vn
- children(w) = w1 ..wn Then v C* w
- v1C* w1 … vnC* wn

- From literals L to a congruence graph.
- For each subterm t in L create a vertex vt
- For each function symbol f create vertex vf
- If t = f(t1, …, tn),let children(vt) = vf, vt1, …, vtn

- From literals L to an initial equivalence C
- Initially C = { { v } | v V }
- For each equality t = s L:
- Merge equivalence classes for vt and vs

- From the definition, we can read off that Congruence closure is the least fixed-point of the operator CongClos:
CongClos(C*)(v,w) =

v Cw

orlet v1 .. vn = children(v)

let w1 ..wn = children(w) in CongClos(C*)(v1, w1) .. CongClos(C*)(vn, wn)

- Fixed-point characterization suggests (dynamic programming) algorithm:
- Maintain root vertex for each equivalence class.
- Maintain sig(nature) of each vertex:sig(vf(t1,..,tn)) = root(vf ), root(vt1).. root(vtn)
- Initialize C* C
- while v,w V s.t. v C* w, but sig(v) = sig(w):C* C* with classes for v, w merged

- A more efficient implementation of congruence closure
- Use union-find for maintaining roots
- Maintain use (a list) for set of parent vertices.
- Set todo = {}
- def merge(v, w):C* C* with classes for v, w merged
foreachvp use(v), wp use(w):add vp, wp to todo

- foreachasserted equality (v,w): merge(v,w)
- while some v, w todo:remove v, w from todoif v C* w, but sig(v) = sig(w) then merge(v,w)

- Back to the main problem.
- E-satisfiability t1 = t2 t3 = t4 t5 t6

- Form graph using {t1, t2, t3 , t4 , t5 , t6 }
- Initialize C from equalities
- Compute C* from C
- Check that vt5C*vt6

- Soundness: C* just simulates axioms of E.
- Completeness: From C* build model M.
- fM(v1, …, vn) = root(v), if there is a v, such that sig(v) = fM,v1, …, vn
- fM(v1, …, vn) = *otherwise
- Then all axioms in E are true in M.
- All equalities in L are true in M.

- Congruence closure just checks satisfiability of conjunction of literals.
- How does this fit together with Boolean search DPLL?
- DPLL builds partial model M incrementally
- Use M to build C*
- After every Decision or Propagate, or
- When F is propositionally satisfied by M.

- Check that disequalities are satisfied.

- Use M to build C*

Recall Conflict:

- Conflict M || F M || F || CifCF, M ⊨T C
A version more useful for theories:

- Conflict M || F M || F || CifC M, ⊨T C

Example

- M = fff(a) = a, g(b) = c, fffff(a)= a, a f(a)
- C = fff(a) = a, fffff(a)=a, a f(a)
- ⊨E fff(a) a fffff(a) a a = f(a)
- Use C as a conflict clause.

How can one mine M for E-conflicts?

- The theory E is convex.
- Convexity: Let L be a set of equalities and disequalitiesIf L ⊨Es1 = t1 … sn = tnThen for some i: L ⊨Esi = ti(proof: use soundess and completeness of Congruence Closure).
- A consequence:
- To check satisfiability it suffices to check each disequality in isolation.

Consider Datalog formulation:Rule formulation:

Eq(x,x) .

Eq(x,y) :- Eq(y,x).

Eq(x,y) :- Eq(x,z), Eq(z,y) .

Eq(u,v) :- Eq(x,y), F(x,u), F(y,v) .

F(a,f(a)) . F(b, f(b)) . Eq(a,b) .

?- Eq(f(a),f(b)) .

Congruence closure algorithm is “just”an efficient way of computing closure of Eq(_,_).

Arrays

def swap(a, i, j):

tmp = a[i];

a[i] = a[j];

a[j] = tmp;

new(a)[i] = a[j]

new(a)[j] = a[i]

k i, k j a[k] = new(a)[k]

new(a)[i] = write(write(a,i,a[j]),j,a[i])[i] = ifi = j then a[i] else write(a,i,a[j])[i] =

- ifi = j then a[i] else a[j] =
- a[j]

new(a)[j] = write(write(a,i,a[j]),j,a[i])[j] = a[i]

new(a) = write(write(a,i,a[j]),j,a[i])

new(a) =

let tmp = a[i]

a1= write(a,i,a[j]);

a2= write(a1,j,tmp);in a2

def swap(a, i, j):

tmp = a[i];

a1= write(a,i,a[j]);

a2= write(a1,j,tmp); new(a) = a2

def swap(a, i, j):

tmp = a[i];

a = write(a,i,a[j]);

a= write(a,j,tmp);

- Functions: F= { read, write }
- Predicates: P= { = }
- Convention a[i] means: read(a,i)
- Non-extensional arrays TA:
- a, i, v . write(a,i,v)[i] = v
- a, i, j, v . i j write(a,i,v)[j] = a[j]

- Extensional arrays: TEA = TA +
- a, b. ((i. a[i] = b[i]) a = b)

Is valid

Is unsat

Is unsat

(arrayaxiom)

Is unsat

(congruence)

Is valid

Is unsat

Is unsat

Array axiom

Is unsat

Case:

Case:

Array axiom

Case:

Case:

Congruence

Case:

Case:

Case:

Extensionality

Case:

Extensionality

Case:

Skolemize

Case:

Array axiom

Case:

- Let L be literals over F= { read, write }
- Find M such that: M ⊨TA L
- Basic algorithm, reduce to E:
- for every sub-term read(a,i), write(b,j,v) in L
- i j a = b read(write(b,j,v),i) = read(a,i)
- read(write(b,j,v),j) = v

- Find ME, such thatME⊨EL AssertedAxioms

- for every sub-term read(a,i), write(b,j,v) in L

- Correctness of basic algorithm:
- ME satisfies array axioms on terms in L.
- To show that ME can be extended to model for arrays:
- From Congurence Closure C*build model:
- aM = [| *d1 *r1 , *d2 *r2 , *d3 .., else vroot(a) |]
- Where readM(aM, *di ) = *r1e.g., *r1 = root(read(root(a),root(i)) under C*

- Model satisfies array axioms.
- For every write(a,i,v) the model satisfies write(a,i,v)[j] = a[j] whenever iM jM(first axiom) and also write(a,i,v)[i] = v (second axiom).
- vroot(a) was added to make arrays different unless they were forced to be (no extensionality)

- From Congurence Closure C*build model:

- A non-theorem
- a and b need not be equal even if the array axioms hold.

- To enforce:a, b. ((i. a[i]= b[i]) a = b)

- Add fresh constant iab
- Add axiom a b a[iab] b[iab]

- Arrays may be more than just read/write.
- The constant array:v, i . const(v)[i] = v
- Generalized write: a,b,c, i . a[i] = b[i] write(a,b,c)[i] = c[i] a,b,c, i . a[i] b[i] write(a,b,c)[i] = b[i]
- We now have sets:
- = const(false), T = const(true),
- A B = write(,A,B)[i]
- A B = write(T,A,B)[i]

- Ranges:
- l,u, x . range(l,u)[x] l x u

- Claim: Same kind of reduction to E (and arithmetic) works
- Integer ranges, require slightly more
- range(l,u)[l-1], range(l,u)[u+1]
- range(l,u)[l], range(l,u)[u]

- Integer ranges, require slightly more
- Is there a general principle underpinning such extensions?

- Consider a more general formulation.
- is a conjunction of:
- Equalities, disequalities
- i, j, k . G(i,j,k) F(i,j,k)
- Where G is a guard formula comparing indices:
- And-or formula of i j, i c
- Claim: We can always eliminate i =j from the guard.

- Where F is a general formula with arrays, Restriction: no nested array formulas.

- Where G is a guard formula comparing indices:

- Example:
- j . if i = j then b[i] = v else b[i] = a[i]
- Encodes that b = write(a,i,v)

- is a conjunction of:

- i, j, k . G(i,j,k) F(i,j,k)
- Where G is a guard formula comparing indices:
- And-or formula of i j, i c
- Claim: We can always eliminate i =j ori = c from the guard.
i, j, k . i = j k c j c’ F(i,j,k)

i, k . k c i c F(i,i,k)

- Where G is a guard formula comparing indices:

- i, j, k . G(i,j,k) F(i,j,k)
- Where G is a guard formula comparing indices:
- And-or formula of i j, i c
- Claim: We can always or from the guard
i, j, k . G(i,j,k) G’(i,j,k) F(i,j,k)

i, j, k . G(i,j,k) F(i,j,k)

i, j, k . G’(i,j,k) F(i,j,k)

- Where G is a guard formula comparing indices:

- i, j, k . G(i,j,k) F(i,j,k)
- Where G is conjunction of i j, i c

- Decision procedure:
- Collect all c, where a[c] or c = i
- Instantiate quantifiers by all combinations of such indices.
- Check for E – satisfiability of ground formula.

- Correctness: All quantified formulas are satisfied by C*.

- i, j, k . G(i,j,k) F(i,j,k)
- Where G is conjunction of i < j, i < c, i > c

- Decision procedure:
- Collect all c, where a[c], c < i , c > ioccurs in formula.
- For each c, also add c-1, c+1 to collection.
- Instantiate quantifiers by all combinations of collected indices.
- Check for ILA + E – satisfiability of ground formula.

Combinatory Array Logic

- Special combinators:
- Result: Existential fragment is decidable and in NP by reduction to congruence closure using finite set of instances.( f belongs to base theory – not arrays)

- Then:
- Theory is decidable.

- Can I access a default array value?

Only sound for infinite domains

- Simple set and bag operations:
- But not cardinality |A|, power-set 2A, …

A Basic Decision Procedure

Use saturation rules to reduce arrays to the theory of un-interpreted functions

Extract models for arrays as finite graphs

- a~b – a and b are equal in current context
- a≡t – a is a name for the term t

- Extensionality axiom is instantiated on every pair of array variables.
- Upwards propagation distributes index over all modifications of same array.

- Bottleneck: Extensionality axiom is instantiated on every pair of array variables.

- Optimization: Restrict to variables asserted different, or shared.

- Bottleneck: Upwards propagation distributes index over all modifications of same array.
- Optimization: Only use for updates where ancestor has multiple children. Formulas from programs are well-behaved.

This is where it matters

Saturating for CAL

- Rules for map are similar as for store.
- Optimization of has to be generalized.
- Finite domains…