1 / 133

# Solvers: Equality and Arrays Lecture 4 2012 - PowerPoint PPT Presentation

Solvers: Equality and Arrays Lecture 4 2012. Nikolaj Bjørner Microsoft Research DTU Winter course January 5 th 2012. Plan. The theory of Un-interpreted functions The Theory of Arrays. Key Takeaways :. Theory of equality, un-interpreted functions and arrays

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Solvers: Equality and Arrays Lecture 4 2012

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

## Solvers: Equality and ArraysLecture 4 2012

Nikolaj Bjørner

Microsoft Research

DTU Winter course January 5th2012

### Plan

• The theory of Un-interpreted functions

• The Theory of Arrays

### Key Takeaways:

• Theory of equality, un-interpreted functions and arrays

• Saturation-based decision procedures

• A common pattern

• Connections with algorithms used in program analysis

• Inference rule formulation

• Datalog formulation

• A reduction approach to decision procedures

• The theory of array reduces to theory of equalities/functions

Deciding

Equality

### E - The theory of equality

Reflexivity: t = t

Symmetry: t = s  s = t

Transitivity: t = s  s= u t = u

Congruence: t1= s1 ..  tn =sn  f(t1, …, tn) = f(s1, …, sn)

E – the (infinite) conjunction of these axioms

### Congruence Closure

• E-satisfiability can be decided with a simple algorithm known as congruence closure.

• Congruence closure creates a finite quotient for DC(E + L).

• E – Equality axioms

• L – Literals: extra equalities in input

### Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

a

b

c

d

e

s

t

### Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

a

b

c

d

e

s

t

### Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

a,b

c

d

e

s

t

### Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

a,b

c

d

e

s

t

### Deciding Equality

a = b, b = c, d = e, b = s, d = t, a e, a s

a,b,c

d

e

s

t

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c

d

e

s

t

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c

d,e

s

t

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c

d,e

s

t

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c,s

d,e

t

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c,s

d,e

t

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c,s

d,e,t

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c,s

d,e,t

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e, a s

a,b,c,s

d,e,t

Unsatisfiable

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e

a,b,c,s

d,e,t

Model construction

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e

a,b,c,s

1

2

d,e,t

Model construction

• |M| = {1 ,2} (universe, aka domain)

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e

a,b,c,s

1

2

d,e,t

Model construction

• |M| = {1 ,2} (universe, aka domain)

• M(a) = 1 (assignment)

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e

a,b,c,s

1

2

d,e,t

Alternative notation:

• aM = 1

Model construction

• |M| = {1 ,2} (universe, aka domain)

• M(a) = 1 (assignment)

### Deciding Equality

a = b,b = c, d = e, b = s, d = t, a e

a,b,c,s

1

2

d,e,t

Model construction

• |M| = {1 ,2} (universe, aka domain)

• M(a) = M(b) = M(c) = M(s) = 1

• M(d) = M(e) = M(t) = 2

### Deciding Equality:Termination, Soundness, Completeness

• Termination: easy

• Soundness

• Invariant: all constants in a “ball” are known to be equal.

• The “ball” merge operation is justified by:

• Transitivity and Symmetry rules.

• Completeness

• We can build a model if an inconsistency was not detected.

• Build a candidate model.

• Assume a literal was not satisfied.

### Deciding Equality:Termination, Soundness, Completeness

• Completeness

• We can build a model if an inconsistency was not detected.

• Instantiating the template for our procedure:

• Assume some literal c = d is not satisfied by our model.

• That is, M(c) ≠ M(d).

• This is impossible, c and d must be in the same “ball”.

c,d,…

i

M(c) = M(d) = i

### Deciding Equality:Termination, Soundness, Completeness

• Completeness

• We can build a model if an inconsistency was not detected.

• Instantiating the template for our procedure:

• Assume some literal c ≠ d is not satisfied by our model.

• That is, M(c) = M(d).

• Key property: we only check the disequalities after we processed all equalities.

• This is impossible, c and d must be in the different “balls”

c,…

d,…

i

j

M(c) = i

M(d) = j

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, f(a, g(d))  f(b, g(e))

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, f(a, g(d))  f(b, g(e))

First Step: “Naming” subterms

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, f(a, v1)  f(b, g(e))

v1  g(d)

First Step: “Naming” subterms

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, f(a, v1)  f(b, g(e))

v1  g(d)

First Step: “Naming” subterms

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, f(a, v1)  f(b, v2)

v1  g(d), v2  g(e)

First Step: “Naming” subterms

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, f(a, v1)  f(b, v2)

v1  g(d), v2  g(e)

First Step: “Naming” subterms

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, v3  f(b, v2)

v1  g(d), v2  g(e), v3 f(a, v1)

First Step: “Naming” subterms

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, v3 f(b, v2)

v1  g(d), v2  g(e), v3  f(a, v1)

First Step: “Naming” subterms

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, v3 v4

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

First Step: “Naming” subterms

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, v3 v4

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

d,e,t

v2

v4

v1

v3

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, v3 v4

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

d,e,t

v2

v4

v1

v3

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

• d = e implies g(d) = g(e)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, v3 v4

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

d,e,t

v2

v4

v1

v3

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

• d = e implies v1= v2

### Deciding Equality + (uninterpreted) Functions

We say:

• v1 and v2 are congruent.

a = b,b = c, d = e, b = s, d = t, v3 v4

v1 g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

v1,v2

d,e,t

v4

v3

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

• d = e implies v1= v2

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, v3 v4

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

v1,v2

d,e,t

v4

v3

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

• a = b, v1= v2implies f(a, v1) = f(b, v2)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, v3 v4

v1  g(d), v2  g(e), v3  f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

d,e,t

v4

v3

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

• a = b, v1= v2implies v3 = v4

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, v3 v4

v1  g(d), v2  g(e), v3  f(a, v1) , v4 f(b, v2)

a,b,c,s

v1,v2

v3,v4

d,e,t

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

• a = b, v1= v2implies v3 = v4

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, v3  v4

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

v1,v2

v3,v4

d,e,t

Unsatisfiable

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

Changing the problem

a,b,c,s

v1,v2

v3,v4

d,e,t

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

v1,v2

v3,v4

d,e,t

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

v1,v2

v3,v4

d,e,t

Congruence Rule:

• x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

v1,v2

1

2

3

4

v3,v4

d,e,t

Model construction:

• |M| = {1 ,2 ,3 ,4}

• M(a) = M(b) = M(c) = M(s) = 1

• M(d) = M(e) = M(t) = 2

• M(v1) = M(v2) = 3

• M(v3) = M(v4) = 4

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

v1,v2

1

2

3

4

v3,v4

d,e,t

Model construction:

• |M| = {1 ,2 ,3 ,4}

• M(a) = M(b) = M(c) = M(s) = 1

• M(d) = M(e) = M(t) = 2

• M(v1) = M(v2) = 3

• M(v3) = M(v4) = 4

Missing:

Interpretation for f and g.

### Deciding Equality + (uninterpreted) Functions

• Building the interpretation for function symbols

• M(g) is a mapping from |M| to |M|

• Defined as:

M(g)(i) = j if there is v  g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise (k is an arbitrary element)

• Is M(g) well-defined?

### Deciding Equality + (uninterpreted) Functions

• Building the interpretation for function symbols

• M(g) is a mapping from |M| to |M|

• Defined as:

M(g)(i) = j if there is v  g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise (k is an arbitrary element)

• Is M(g) well-defined?

• Problem: we may have

v  g(a) and w  g(b) s.t.

M(a) = M(b) = 1 and M(v) = 2 ≠ 3 = M(w)

So, is M(g)(1) = 2 or M(g)(1) = 3?

### Deciding Equality + (uninterpreted) Functions

• Building the interpretation for function symbols

• M(g) is a mapping from |M| to |M|

• Defined as:

M(g)(i) = j if there is v  g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise (k is an arbitrary element)

• Is M(g) well-defined?

• Problem: we may have

v  g(a) and w  g(b) s.t.

M(a) = M(b) = 1 and M(v) = 2 ≠ 3 = M(w)

So, is M(g)(1) = 2 or M(g)(1) = 3?

This is impossible because of the congruence rule!

a and b are in the same “ball”, then so are v and w

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

a,b,c,s

v1,v2

1

2

3

4

v3,v4

d,e,t

Model construction:

• |M| = {1 ,2 ,3 ,4}

• M(a) = M(b) = M(c) = M(s) = 1

• M(d) = M(e) = M(t) = 2

• M(v1) = M(v2) = 3

• M(v3) = M(v4) = 4

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

Model construction:

• |M| = {1 ,2 ,3 ,4}

• M(a) = M(b) = M(c) = M(s) = 1

• M(d) = M(e) = M(t) = 2

• M(v1) = M(v2) = 3

• M(v3) = M(v4) = 4

M(g)(i) = j if there is v  g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

Model construction:

• |M| = {1 ,2 ,3 ,4}

• M(a) = M(b) = M(c) = M(s) = 1

• M(d) = M(e) = M(t) = 2

• M(v1) = M(v2) = 3

• M(v3) = M(v4) = 4

• M(g) = {2 →3}

M(g)(i) = j if there is v  g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

Model construction:

• |M| = {1 ,2 ,3 ,4}

• M(a) = M(b) = M(c) = M(s) = 1

• M(d) = M(e) = M(t) = 2

• M(v1) = M(v2) = 3

• M(v3) = M(v4) = 4

• M(g) = {2 →3}

M(g)(i) = j if there is v  g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

Model construction:

• |M| = {1 ,2 ,3 ,4}

• M(a) = M(b) = M(c) = M(s) = 1

• M(d) = M(e) = M(t) = 2

• M(v1) = M(v2) = 3

• M(v3) = M(v4) = 4

• M(g) = {2 →3, else →1}

M(g)(i) = j if there is v  g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise

### Deciding Equality + (uninterpreted) Functions

a = b,b = c, d = e, b = s, d = t, a v4, v2  v3

v1  g(d), v2  g(e), v3  f(a, v1) , v4  f(b, v2)

Model construction:

• |M| = {1 ,2 ,3 ,4}

• M(a) = M(b) = M(c) = M(s) = 1

• M(d) = M(e) = M(t) = 2

• M(v1) = M(v2) = 3

• M(v3) = M(v4) = 4

• M(g) = {2 →3, else →1}

• M(f) = { (1 ,3)→4, else →1}

M(g)(i) = j if there is v  g(a) s.t.

M(a) = i

M(v) = j

= k, otherwise

### Deciding Equality + (uninterpreted) Functions

p(a, b), p(c, b)

### Deciding Equality + (uninterpreted) Functions

p(a, b), p(c, b)

• fp(a, b) = T, fp(c, b) ≠ T

### E-satisfiability - example

• f(f(a)) = a, a  f(a)

### Conguruence Closure Graph

• Recall congruence rule:

• Congruence: t1= s1 ..  tn =sn f(t1, …, tn) = f(s1, …, sn)

### Congruence closure graph

• Let G = (V,E) be a directed graph such that for each vertex v in G, the successors (children) of v are ordered.

• Let C be any equivalence relation on V.

• The congruence closure C* of C is the finest equivalence relation on V,

• that contains C : v C w then v C* w

• Closed: If

• children(v) = v1 ..vn

• children(w) = w1 ..wn Then v C* w

• v1C* w1 … vnC* wn

### Congruence closure graph

• From literals L to a congruence graph.

• For each subterm t in L create a vertex vt

• For each function symbol f create vertex vf

• If t = f(t1, …, tn),let children(vt) = vf, vt1, …, vtn

• From literals L to an initial equivalence C

• Initially C = { { v } | v  V }

• For each equality t = s  L:

• Merge equivalence classes for vt and vs

### Computing congruence closure

• From the definition, we can read off that Congruence closure is the least fixed-point of the operator CongClos:

CongClos(C*)(v,w) =

v Cw

orlet v1 .. vn = children(v)

let w1 ..wn = children(w) in CongClos(C*)(v1, w1)  ..  CongClos(C*)(vn, wn)

### Computing Congruence closure

• Fixed-point characterization suggests (dynamic programming) algorithm:

• Maintain root vertex for each equivalence class.

• Maintain sig(nature) of each vertex:sig(vf(t1,..,tn)) = root(vf ), root(vt1).. root(vtn) 

• Initialize C*  C

• while  v,w  V s.t. v C* w, but sig(v) = sig(w):C*  C* with classes for v, w merged

### Computing Congruence closure

• A more efficient implementation of congruence closure

• Use union-find for maintaining roots

• Maintain use (a list) for set of parent vertices.

• Set todo = {}

• def merge(v, w):C*  C* with classes for v, w merged

foreachvp use(v), wp use(w):add  vp, wp  to todo

• foreachasserted equality (v,w): merge(v,w)

• while some  v, w   todo:remove  v, w  from todoif v C* w, but sig(v) = sig(w) then merge(v,w)

### Using congruence closure

• Back to the main problem.

• E-satisfiability t1 = t2  t3 = t4  t5  t6

• Form graph using {t1, t2, t3 , t4 , t5 , t6 }

• Initialize C from equalities

• Compute C* from C

• Check that vt5C*vt6

### Congruence closure algorithm

• Soundness: C* just simulates axioms of E.

• Completeness: From C* build model M.

• fM(v1, …, vn) = root(v), if there is a v, such that sig(v) = fM,v1, …, vn

• fM(v1, …, vn) = *otherwise

• Then all axioms in E are true in M.

• All equalities in L are true in M.

### DPLL(E)

• Congruence closure just checks satisfiability of conjunction of literals.

• How does this fit together with Boolean search DPLL?

• DPLL builds partial model M incrementally

• Use M to build C*

• After every Decision or Propagate, or

• When F is propositionally satisfied by M.

• Check that disequalities are satisfied.

### E - conflicts

Recall Conflict:

• Conflict M || F  M || F || CifCF, M ⊨T C

A version more useful for theories:

• Conflict M || F  M || F || CifC M, ⊨T C

### E - conflicts

Example

• M = fff(a) = a, g(b) = c, fffff(a)= a, a  f(a)

•  C = fff(a) = a, fffff(a)=a, a  f(a)

• ⊨E fff(a) a fffff(a) a  a = f(a)

• Use C as a conflict clause.

### E - conflicts

How can one mine M for E-conflicts?

### Convexity

• The theory E is convex.

• Convexity: Let L be a set of equalities and disequalitiesIf L ⊨Es1 = t1 …  sn = tnThen for some i: L ⊨Esi = ti(proof: use soundess and completeness of Congruence Closure).

• A consequence:

• To check satisfiability it suffices to check each disequality in isolation.

### Inference rules, Abstract decision procdures, and Datalog

Consider Datalog formulation:Rule formulation:

Eq(x,x) .

Eq(x,y) :- Eq(y,x).

Eq(x,y) :- Eq(x,z), Eq(z,y) .

Eq(u,v) :- Eq(x,y), F(x,u), F(y,v) .

F(a,f(a)) . F(b, f(b)) . Eq(a,b) .

?- Eq(f(a),f(b)) .

Congruence closure algorithm is “just”an efficient way of computing closure of Eq(_,_).

Arrays

### Why use abstract arrays?

def swap(a, i, j):

tmp = a[i];

a[i] = a[j];

a[j] = tmp;

new(a)[i] = a[j]

new(a)[j] = a[i]

k i, k j a[k] = new(a)[k]

new(a)[i] = write(write(a,i,a[j]),j,a[i])[i] = ifi = j then a[i] else write(a,i,a[j])[i] =

• ifi = j then a[i] else a[j] =

• a[j]

new(a)[j] = write(write(a,i,a[j]),j,a[i])[j] = a[i]

new(a) = write(write(a,i,a[j]),j,a[i])

new(a) =

let tmp = a[i]

a1= write(a,i,a[j]);

a2= write(a1,j,tmp);in a2

def swap(a, i, j):

tmp = a[i];

a1= write(a,i,a[j]);

a2= write(a1,j,tmp); new(a) = a2

def swap(a, i, j):

tmp = a[i];

a = write(a,i,a[j]);

a= write(a,j,tmp);

### Theory of arrays

• Functions: F= { read, write }

• Predicates: P= { = }

• Non-extensional arrays TA:

• a, i, v . write(a,i,v)[i] = v

• a, i, j, v . i  j  write(a,i,v)[j] = a[j]

• Extensional arrays: TEA = TA +

• a, b. ((i. a[i] = b[i])  a = b)

Is valid

Is unsat

Is unsat

(arrayaxiom)

Is unsat

(congruence)

Is valid

Is unsat

Is unsat

Array axiom

Is unsat

Case:

Case:

Array axiom

Case:

Case:

Congruence

Case:

Case:

Case:

Extensionality

Case:

Extensionality

Case:

Skolemize

Case:

Array axiom

Case:

### Decision procedures for arrays

• Let L be literals over F= { read, write }

• Find M such that: M ⊨TA L

• Basic algorithm, reduce to E:

• for every sub-term read(a,i), write(b,j,v) in L

• i  j  a = b  read(write(b,j,v),i) = read(a,i)

• Find ME, such thatME⊨EL  AssertedAxioms

### Decision procedures for arrays

• Correctness of basic algorithm:

• ME satisfies array axioms on terms in L.

• To show that ME can be extended to model for arrays:

• From Congurence Closure C*build model:

• aM = [| *d1  *r1 , *d2  *r2 , *d3  .., else  vroot(a) |]

• Where readM(aM, *di ) = *r1e.g., *r1 = root(read(root(a),root(i)) under C*

• Model satisfies array axioms.

• For every write(a,i,v) the model satisfies write(a,i,v)[j] = a[j] whenever iM jM(first axiom) and also write(a,i,v)[i] = v (second axiom).

• vroot(a) was added to make arrays different unless they were forced to be (no extensionality)

### Non-extensionality

• A non-theorem

• a and b need not be equal even if the array axioms hold.

### Extensional arrays

• To enforce:a, b. ((i. a[i]= b[i])  a = b)

• For every pair a, b in L,

• Add axiom a  b  a[iab]  b[iab]

• ### Arrays galore

• Arrays may be more than just read/write.

• The constant array:v, i . const(v)[i] = v

• Generalized write: a,b,c, i . a[i] = b[i]  write(a,b,c)[i] = c[i] a,b,c, i . a[i]  b[i]  write(a,b,c)[i] = b[i]

• We now have sets:

•  = const(false), T = const(true),

• A  B = write(,A,B)[i]

• A  B = write(T,A,B)[i]

• Ranges:

• l,u, x . range(l,u)[x]  l  x  u

### Arrays galore

• Claim: Same kind of reduction to E (and arithmetic) works

• Integer ranges, require slightly more

• range(l,u)[l-1], range(l,u)[u+1]

• range(l,u)[l], range(l,u)[u]

• Is there a general principle underpinning such extensions?

### Arrays galore

• Consider a more general formulation.

•  is a conjunction of:

• Equalities, disequalities

•  i, j, k . G(i,j,k)  F(i,j,k)

• Where G is a guard formula comparing indices:

• And-or formula of i  j, i  c

• Claim: We can always eliminate i =j from the guard.

• Where F is a general formula with arrays, Restriction: no nested array formulas.

• Example:

•  j . if i = j then b[i] = v else b[i] = a[i]

• Encodes that b = write(a,i,v)

### Arrays galore

•  i, j, k . G(i,j,k)  F(i,j,k)

• Where G is a guard formula comparing indices:

• And-or formula of i  j, i  c

• Claim: We can always eliminate i =j ori = c from the guard.

 i, j, k . i = j  k  c  j  c’  F(i,j,k)

  i, k . k  c  i  c  F(i,i,k)

### Arrays galore

•  i, j, k . G(i,j,k)  F(i,j,k)

• Where G is a guard formula comparing indices:

• And-or formula of i  j, i  c

• Claim: We can always or from the guard

 i, j, k . G(i,j,k)  G’(i,j,k)  F(i,j,k)

  i, j, k . G(i,j,k)  F(i,j,k)

 i, j, k . G’(i,j,k)  F(i,j,k)

### Arrays galore

•  i, j, k . G(i,j,k)  F(i,j,k)

• Where G is conjunction of i  j, i  c

• Decision procedure:

• Collect all c, where a[c] or c = i

• Instantiate quantifiers by all combinations of such indices.

• Check for E – satisfiability of ground formula.

• Correctness: All quantified formulas are satisfied by C*.

### Arrays galore - Arithmetic

•  i, j, k . G(i,j,k)  F(i,j,k)

• Where G is conjunction of i < j, i < c, i > c

• Decision procedure:

• Collect all c, where a[c], c < i , c > ioccurs in formula.

• For each c, also add c-1, c+1 to collection.

• Instantiate quantifiers by all combinations of collected indices.

• Check for ILA + E – satisfiability of ground formula.

## Combinatory Array Logic

### What else are arrays?

• Special combinators:

• Result: Existential fragment is decidable and in NP by reduction to congruence closure using finite set of instances.( f belongs to base theory – not arrays)

### … A different fragment:

• Then:

• Theory is decidable.

### Last combinator for the road…

• Can I access a default array value?

Only sound for infinite domains

### Let’s use CAL:

• Simple set and bag operations:

• But not cardinality |A|, power-set 2A, …

## A Basic Decision Procedure

### A reduction-based approach

Use saturation rules to reduce arrays to the theory of un-interpreted functions

Extract models for arrays as finite graphs

### Array Saturation Rules

• a~b – a and b are equal in current context

• a≡t – a is a name for the term t

### Bottlenecks

• Extensionality axiom is instantiated on every pair of array variables.

• Upwards propagation distributes index over all modifications of same array.

### Bottlenecks and

• Bottleneck: Extensionality axiom is instantiated on every pair of array variables.

• Optimization: Restrict to variables asserted different, or shared.

### Bottlenecks and

• Bottleneck: Upwards propagation distributes index over all modifications of same array.

• Optimization: Only use  for updates where ancestor has multiple children. Formulas from programs are well-behaved.

### The effect on benchmarks

This is where it matters

## Saturating for CAL

### Saturating K, map, 

• Rules for map are similar as for store.

• Optimization of  has to be generalized.

• Finite domains…