- By
**ciara** - Follow User

- 116 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Decision Procedures An algorithmic point of view' - ciara

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Decision ProceduresAn algorithmic point of view

Equality Logic andUninterpreted Functions

Outline

- Introduction
- Definition, complexity
- Reducing Uninterpreted Functions to Equality Logic
- Using Uninterpreted Functions in proofs
- Simplifications
- Introduction to the decision procedures
- The framework: assumptions and normal forms
- General terms and notions
- Solving a conjunction of equalities
- Simplifications

Equality Logic

- A Boolean combination of Equalities and Propositions

x1=x2Æ (x2=x3Ç: ((x1=x3) ÆbÆx1= 2))

- We will always push negations inside (NNF):

x1=x2Æ (x2=x3Ç ((x1x3) Ç:bÇx1 2))

- Note: the set of Boolean variables is always separate from the set of term variables

Equality Logic: the grammar

- formula : formulaÇformula | :formula | atom
- atom : term-variable = term-variable | term-variable = constant | Boolean-variable

term-variables are defined over some (possible infinite) domain.

The constants are from the same domain.

Expressiveness and complexity

- Allows more natural description of systems,althoughtechnically it is as expressible as Propositional Logic.
- Clearly NP-hard.
- In fact, it is in NP, and hence NP-complete, for reasons we shall see later.

Equality logic with uninterpreted functions

- formula : formulaÇformula | :formula | atom
- atom : term = term | Boolean-variable
- term : term-variable | function ( list of terms )

term-variables are defined over some (possible infinite) domain.

Note that constants are functions with empty list of terms.

What is an uninterpreted function ?

- The signature includes in addition to equality, function and predicate symbols.
- The theory restricts the interpretation of these symbols by a single axiom. For n-ary function F:
- Sometimes, functional consistency is all that is needed for the proof.

Uninterpreted Functions

- Uninterpreted functions are used for abstraction.
- Example: replace ‘+’ with an uninterpreted Binary function f (h1st argi , h 2nd arg i)
- For example: x1+ x2 = x3+x4 is replaced with
- fcanrepresent any binary function, not just +.

Example: Circuit Transformations

- Circuits consist of combinationalgates and latches (registers)
- The combinational gates can be modeled using functions
- The latches can be modeled with variables

Latch

R1

I

Combi- national part

Example: Circuit Transformations

Some bitvector Input

Some function, say I >> 5

Some other function, say L1 & 100110001…

Some condition on L2

Example: Circuit Transformations

- A pipeline processes data in stages
- Data is processed in parallel – as in an assembly line
- Formal Model:

Stage 1

Stage 2

Stage 3

Example: Circuit Transformations

- The maximum clock frequency depends on the longest path between two latches
- Note that the output of g is usedas input to k
- We want to speed up the design by postponing k to the third stage
- Also note that the circuit only uses one of L3 or L4, never both
- We can remove one of the latches

Example: Circuit Transformations

- Equivalence in this case holds regardless of the actual functions
- Conclusion: can be decided using Equality Logic and Uninterpreted Functions

f1

F2(F1(x)) = 0

f2

f2 =0

UFs Equality Logic: Ackermann’s reduction- For each function in UF:
- Number function instances (from the inside out)
- Replace each function instance with a new variable
- Condition UF with a functional consistency constraint for every pair of instances of thesame function.

Given a formula UF with uninterpreted functions

((x=f1) f1=f2 ) (f2=0)

Ackermann’s reduction : Example

- Given the formula(x1x2) Ç (F(x1) =F(x2)) Ç (F(x1) F(x3))which we want to check for validity, we first number the function instances: (x1x2) Ç (F1(x1) =F2(x2)) Ç (F1(x1) F3(x3))

Ackermann’s reduction : Example

(x1x2) Ç (F1(x1) =F2(x2)) Ç (F1(x1) F3(x3))

- Replace each function with a new variable,

(x1x2) Ç (f1 =f2 ) Ç (f1f3 )

- Condition with Functional Consistency constraints:

F1(x1) = F2(x2)

case x1=x2 : f1true :f2

f1 =

UFs Equality Logic: Bryant’s reductionGiven a formula UF with UFs

- For each function in UF:
- Number function instances (from the inside out)
- Replace a function instance Fi with an expression

casex1=xi :f1

x2=xi:f2

xi-1 =xi :fi-1

true :fi

F1(x1) = F2(x2)

UFs Equality Logic: Bryant’s reductionGiven a formula UF with UFs

- For each function in UF:
- Number function instances (from the inside out)
- Replace a function instance Fi with an expression

casex1=xi :f1

x2=xi:f2

xi-1 =xi :fi-1

true :fi

(x1=x2 → f1= f1)Æ

(x1x2 → f1= f2)

Bryant’s reduction: Example

- x1=x2F1(G1(x1)) =F2(G2(x2))
- Replace each function with an expression
- where

Using UFs in proofs

- Uninterpreted functions gives us the ability to represent an abstract view of functions.
- It over-approximates the concrete system.

1 + 1 = 1 is a contradiction

But

F(1,1) = 1 is satisfiable !

- Conclusion: unless we are careful, we can give wrong answers and this way lose soundness.

Using UFs in proofs

- In general a sound and incomplete method is more useful than unsound and complete.
- A soundbutincomplete algorithm:
- Given a formula with uninterpreted functions UF:
- Transform it to Equality Logic formula E
- If E is unsatisfiable return Unsatisfiable
- Else return ‘Don’t know’

Using UFs in proofs

- Question #1: is this useful ?
- Question #2: can it be made complete in some cases ?
- When the abstract view is sufficient for the proof, it enables (or simplifies) a mechanicalproof.
- So when is the abstract view sufficient ?

Using UFs in proofs (cont’d)

- (common) Proving equivalence between:
- Two versions of a hardware design
- e.g., one with and one without a pipeline
- Source and target of a compiler (“Translation Validation”)
- (rare) Proving properties that do not rely on the exact functionality of some of the functions.

Example: Translation Validation

- Assume the source program has the statementz= (x1+y1) (x2+y2)

which the compiler turned into:u1=x1+y1;u2=x2+y2;z=u1u2 ;

- We need to prove that:(u1=x1+y1 u2=x2+y2 z=u1u2)z= (x1+y1) (x2+y2)

Example (cont’d)

(u1=x1+y1 u2=x2+y2 z=u1u2) z= (x1+y1) (x2+y2)

(u1=F1(x1,y1) u2=F2(x2,y2) z=G1(u1,u2)) z=G2(F1(x1,y1), F2(x2,y2))

- Claim: is valid
- We will prove this by reducing it to an Equality Logic formula

UF:

Uninterpreted Functions: usability

- Good: each function on the left can be mapped to a function on the right with equivalent arguments
- Bad: almost all other cases
- Example:

Left Right

x + x 2x

Uninterpreted Functions: usability

- This is easy to prove:

x1=x2y1=y2x1+y1=x2+y2

- This requires knowledge on commutativity:

x1=y2y1= x2x1+y1=x2+y2

- easy fix:

((x1=x2y1=y2) (x1=y2x2=y1)) f1= f2

- What about other cases ?useRewriting rules

These two functions return the same value regardless if it is ‘*’ or any other function.

Conclusion: we can prove equivalence by replacing ‘*’ with an Uninterpreted Function

Example: equivalence of C programs (1/4)Power3_new(int in) {

out = (in*in)*in;

return out;

}

Power3(int in) {

out = in;

for (i=0; i < 2; i++)

out = out * in;

return out;

}

But first… we need to know how to write programs as equations.

We will learn one out of several options, namely Static Single Assignment for Bounded programs.

Example: equivalence of C programs (1/4)Power3_new(int in) {

out = (in*in)*in;

return out;

}

Power3(int in) {

out = in;

for (i=0; i < 2; i++)

out = out * in;

return out;

}

In this case we can replace with a guard: y3Ãx2 < 3 ? y1 : y2

Problem: What do we do with loops ?

Static Single Assignment formSSA for bounded programs

- For each loop i in a given program, let ki be a bound on its iteration count.
- Unroll the program according to the bounds.
- We are left with statements and conditions.

:

x = 0;

while (x < y) {

x++;

z = z + y;

}

x = 0;

z = z * 2;

Let k1 = 2

…

x0 = 0

guard0 = x0 < y0

x1 = guard0 ? x0 + 1:x0

z1 = guard0 ? z0 + y0:z0

guard1 = x1 < y0

x2 = guard1 ? x1 + 1: x1

z2 = guard1 ? z1 + y0: z1

x4 = 0

z3 = z2 * 2

SSA for bounded programsExample: equivalence of C programs (2/4)

Power3_new(int in) {

out = (in*in)*in;

return out;

}

Power3(int in) {

out = in;

for (i=0; i < 2; i++)

out = out * in;

return out;

}

Static Single Assignment (SSA) form:

out0 = inÆ

out1 = out0 * in Æ

out2 = out1 * in

out’0 = (in’ * in’) * in’

Prove that both functions return the same value (out2= out’0) given that in = in’

Example: equivalence of C programs (3/4)

Static Single Assignment (SSA) form:

out0 = inÆ

out1 = out0 * in Æ

out2 = out1 * in

out’0 = (in’ * in’) * in’

With Uninterpreted Functions:

out’0 = F4(F3(in’ , in’) , in’)

out0 = inÆ

out1 = F1 (out0 , in) Æ

out2 = F2 (out1 , in)

Example: equivalence of C programs (4/4)

With Uninterpreted Functions:

out’0 = F4(F3(in’ , in’) , in’)

out0 = inÆ

out1 = F1 (out0 , in) Æ

out2 = F2 (out1 , in)

Ackermann’s reduction:

Ea: out0 = inÆ

out1 = f1Æ

out2 = f2

Eb: out’0 = f4

The Verification Condition (“the proof obligation”)

((out0 = out1 Æin = in) !f1 = f2) Æ

((out0 = in’ Æin = in’) !f1 = f3) Æ

((out0 = f3Æin= in’) !f1 = f4) Æ

((out1 = in’ Æin= in’) !f2 = f3) Æ

((out1 = f3Æin= in’) !f2 = f4) Æ

((in’ = f3Æin’ = in’) !f3 = f4)

Ea Æ Eb

Æ (in=in’) Æ

!out2 = out’0

Uninterpreted Functions: simplifications

- Let n be the number of function instances of F()
- Both reduction schemes require O(n2) comparisons
- This can be the bottleneck of the verification effort
- Solution: try to guess the pairing of functions
- Still sound: wrong guess can only make a valid formula invalid

UFs: simplifications (1)

- Given thatx1 = x1’,x2 = x2’,x3 = x3’,prove² o1 = o2

o1 = (x1 + (a¢x2)) a = x3 + 5 Left

f1f2

o2 = (x1’ + (b¢x2’)) b = x3’ + 5 Right

f3f4

- 4 function instances 6 comparisons

UFs: simplifications (2)

o1 = (x1 + (a¢x2)) a = x3 + 5 Left

f1f2

o2 = (x1’ + (b¢x2’)) b = x3’ + 5 Right

f3f4

- Guess: validity of equivalence does not rely onf1=f2or onf3=f4
- Conclusion: only enforce functional consistency of pairs (Left,Right)

UFs: simplifications (3)

o1 = (x1 + (a¢x2)) a = x3 + 5 Left

f1f2

o2 = (x1’ + (b¢x2’)) b = x3’ + 5 Right

f3f4

- Down to 4 comparisons… (from n(n-1)/2 to n2/4)
- Another Guess: validity of equivalence only depends on f1 =f3and f2 =f4
- Pattern matching can be useful here ...

+

Match according

to patterns (‘signatures’):

in

¢

5

in

in

in

f1,f3

f2,f4

UFs: simplifications (4)o1 = (x1 + (a¢x2)) a = x3 + 5 Left

f1f2

o2 = (x1’ + (b¢x2’)) b = x3’ + 5 Right

f3f4

- Down to 2 comparisons…

UFs: simplifications (5)

o1 = (x1 + (a¢x2)) a = x3 + 5 Left

f1f2

o2 = (x1’ + (b¢x2’)) b = x3’ + 5 Right

f3f4

+

+

Propagate through

intermediate variables:

¢

¢

in

in

var

+

in

in

+

5

in

5

in

f1,f3

in

F

in

in

F

in

in

Same exampleStatic Single Assignment (SSA) form:

- map F1 to F3

out0 = inÆ

out1 = out0 * in Æ

out2 = out1 * in

out’0 = (in’ * in’) * in’

With Uninterpreted Functions:

out’0 = F4(F3(in’ , in’) , in’)

out0 = inÆ

out1 = F1 (out0 , in) Æ

out2 = F2 (out1 , in)

- map F2 to F4

Same example, smaller Verification Condition

With Uninterpreted Functions:

out’0 = F4(F3(in’ , in’) , in’)

out0 = inÆ

out1 = F1 (out0 , in) Æ

out2 = F2 (out1 , in)

Ackermann’s reduction:

Eb: out’0 = f4

Ea: out0 = inÆ

out1 = f1Æ

out2 = f2

The Verification Condition has shrunk:

((out0 = in’ Æin = in’) !f1 = f3) Æ

((out1 = f3Æin= in’) !f2 = f4)

Æ (in=in’) ÆEa Æ Eb!out2 = out’0

now with Bryant’s reduction:

With Uninterpreted Functions:

out’0 = F4(F3(in’ , in’) , in’)

out0 = inÆ

out1 = F1 (out0 , in) Æ

out2 = F2 (out1 , in)

Bryant’s reduction:

Eb: out’0 =

case

case in’=outoÆin’=in : f1

true : f3 =out1

Æ in’=in:: f2

true : f4

Ea: out0 = inÆ

out1 = f1Æ

out2 = f2

The Verification Condition (“the proof obligation”)

Prove validity of:(EaÆEbÆin = in’) !out2 = out’0

So is Equality Logic with UFs interesting?

- It is expressible enough to state something interesting.
- It is decidable and more efficiently solvable than richer logics, for example in which some functions are interpreted.
- On the other, hand replacing functions with UF is an abstraction.
- Models which rely on infinite-type variables are more naturally expressed in this logic in comparison with Propositional Logic.

Download Presentation

Connecting to Server..