- 103 Views
- Uploaded on
- Presentation posted in: General

A Framework for Cooperating Decision Procedures

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

A Framework for Cooperating Decision Procedures

Clark W. Barrett

David L. Dill

Aaron Stump

Computer Systems Laboratory

Stanford University

- Motivation
- The Framework
- Correctness of the Framework
- Using the Framework
- Conclusions

- Many interesting and practical problems can be expressed as problems in a decidable theory.
- General purpose decision procedures can save time and effort when approaching new problems.
- Decision procedures have been used in theorem proving, model checking, symbolic simulation, system specification, and other applications, many of which were unanticipated.

- This work is a result of ongoing attempts to improve the decision procedures of SVC.
- Despite theoretical and architectural weaknesses, SVC has been surprisingly successful.
- Our goals with SVC include the following:
- Provably correct,
- Adequately expressive, yet still decidable,
- Flexible and easy to extend,
- Maximum performance.

- Suppose are decidable theories, with disjoint signatures
- Let and
- is a quantifier-free formula in the language of .
- Is satisfiable in the theory

- Two main approaches
- Nelson and Oppen [‘79]
- Shostak [‘84]

- Original papers are confusing and incomplete.
- [Tinelli & Harandi ‘96]
- [Cyrluk et al. ‘96, Shankar & Ruess ‘00]

- This work seeks to unify and further clarify these two approaches.

- Motivation
- The Framework
- Correctness of the Framework
- Using the Framework
- Conclusions

- Expressions
- DAG representation of terms and formulas.
- Operator applied to 0 or more children.

- Union-Find
- Each expression (including Boolean constants true and false) belongs to an equivalence class with a unique representative.
- Find(x) returns the equivalence class representative of x.
- Union(x,y) merges the equivalence classes associated with x and y and makes y the new representative.

- AddFormula() ( a literal in )
- C := C {}; (Initially, C = Ø)

- Satisfiable()
- Returns TRUE iff Find(true) Find(false).

- Satisfiability of an arbitrary formula in is determined by converting to DNF and then testing each conjunct for satisfiability.

Merge

Assert

AddFormula

Setup

Simplify

Rewrite

’

Propagate

t’

t

a=b

a,b

t

a=b

t

t’

Theory-specific code

- Assert() processes the formula by first simplifying it and then calling Merge.
- AddFormula is a wrapper around Assert which allows each theory to assert new facts.

Assert()

’ := Simplify();

IF ’ not an equation THEN

’ := (’ = true);

Merge(’);

AddFormula()

Assert( );

REPEAT

FOREACH theory i DO

Propagate(i);

UNTIL no change;

Merge

Assert

AddFormula

Setup

Simplify

Rewrite

’

Propagate

t’

t

a=b

a,b

t

a=b

t

t’

Theory-specific code

- Simplify returns an expression which is equivalent in the current context.
- Recursively replaces each sub-expression with its equivalence class representative.
- Applies theory-specific rewrites.

Simplify()

IF Find() THEN

RETURN Find();

’ := Simplify each child of ;

’ := Rewrite(’);

RETURN ’;

Rewrite(t)

t’ := TheoryRewrite(t);

IF t t’ THEN

t’ := Rewrite(t’);

RETURN t’;

Merge

Assert

AddFormula

Setup

Simplify

Rewrite

’

Propagate

t’

t

a=b

a,b

t

a=b

t

t’

Theory-specific code

- Merge records that two expressions a and b are equal by merging their equivalence classes.
- Calls Setup on each expression.
- Notifies theories that care about a.

Merge(a=b)

Setup(a);Setup(b);

Union(a,b);

FOREACH <f,d>a.notify

Call f(a=b,d);

Setup(t)

IF Find(t) THEN RETURN;

FOREACH child c Setup(c);

TheorySetup(c);

Find(c) := c;

true

a = b

Merge

Assert

AddFormula

Setup

Simplify

Rewrite

’

Propagate

t’

t

a=b

a,b

t

a=b

t

t’

Theory-specific code

Find(a) = b

a = b

a = b

a = b

a = b

true

a = b

b = b

true

b = b

b = b true

- Motivation
- The Framework
- Correctness of the Framework
- Using the Framework
- Conclusions

- Develop a set of preconditions and requirements that must hold for the framework to be correct.
- Prove that, as long as the code associated with individual theories adheres to these general requirements, the framework is correct.
- Prove the main theorems once, then prove a small set of theorems each time a theory is added.

- Theorem [Tinelli et al. ‘96]:
LetT1and T2be two disjoint theories and let1be a formula in the language ofT1 and 2 a formula in the language of T2.

Let V be the set of their shared variables and let (V) be an arrangement of V.

If 1(V) is satisfiable in T1 and

2(V) is satisfiable in T2, then

1 2is satisfiable inT1 T2.

- Every formula recorded by Merge is associated with an individual theory.
- Each theory Tidetermines whether the conjunction of its formulas together with the arrangement of shared variables induced by the expression equivalence classes is satisfiable in Ti.
- By application of the previous theorem, we can then determine whether the conjunction of all formulas recorded by Merge is satisfiable.

- Motivation
- The Framework
- Correctness of the Framework
- Using the Framework
- Conclusions

Merge

Assert

AddFormula

Setup

Simplify

Rewrite

’

Propagate

t’

t

a=b

a,b

t

a=b

t

t’

Theory-specific code

- Input formulas are transformed into equivalent formulas, each of which is in a single theory.
- Suppose f and g are symbols from two different theories.

- Each theory must determine whether any equalities between (shared) variables are entailed by its formulas and propagate these equalities.

- The flexible nature of the framework allows us to directly implement and prove correctness of a more efficient algorithm:
- Don’t transform the formulas or introduce new variables. It is sufficient to partition the formulas and mark which terms are “used” by more than one theory.
- Only propagate equalities between terms used by more than one theory, and only to theories which use the left side of the equality.

- Combines three theories:
- Uninterpreted functions
- Arithmetic with inequalities
- Arrays

Merge

Assert

AddFormula

Setup

Simplify

Rewrite

’

Propagate

t’

t

a=b

a,b

t

a=b

t

t’

Uninterpreted

Arithmetic

Arrays

- More efficient than Nelson-Oppen, but not as widely applicable.
- Only applies to theories which are canonizable and algebraically solvable.
- Input formulas are solved for a single variable.
- No need to propagate equalities.

- Use theory-specific Rewrite code to solve and canonize formulas.
- Both Shostak and Nelson-Oppen style theories can be integrated in the same framework.
- Proof of correctness is easier than in other treatments of Shostak because we can treat uninterpreted functions as belonging to a separate Nelson-Oppen style theory.

- Motivation
- The Framework
- Correctness of the Framework
- Using the Framework
- Conclusions

- What Have We Learned?
- There is a demand for efficient cooperating decision procedures.
- Getting it right is hard.
- A solid theoretical foundation is necessary.

- Future Work
- The next version of SVC is under development.
- New theories.
- Relax restrictions on what kinds of theories can be integrated.

- Visit the SVC home page at http://verify.stanford.edu/SVC