1 / 61

Part 1: Positive Equality for Uninterpreted functions in Eager Encoding

Part 1: Positive Equality for Uninterpreted functions in Eager Encoding. Ackermann’s Encoding. Bryant, German, Velev’s Encoding. f( x 1 ). f( x 1 ). vf 1. vf 1. f( x 2 ). f( x 2 ). vf 2. ITE( x 1 = x 2 , vf 1 , vf 2 ). x 1 = x 2  vf 1 = vf 2. Eliminating Function applications.

yorick
Download Presentation

Part 1: Positive Equality for Uninterpreted functions in Eager Encoding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Part 1: Positive Equality for Uninterpreted functions in Eager Encoding

  2. Ackermann’s Encoding Bryant, German, Velev’s Encoding f(x1) f(x1) vf1 vf1 f(x2) f(x2) vf2 ITE(x1=x2, vf1, vf2) x1=x2  vf1 = vf2 Eliminating Function applications • Two applications of an uninterpreted function f in a formula • f(x1) and f(x2)

  3. Positive Equality Optimization • Goal • Replace as many of the vfi variables with constant values • Exploit the positive structure of the formula • Overall Benefit • The function-free formula has smaller number of integer variables • Reduces the number of interpretations to check for validity

  4. Ackermann’s Encoding Bryant, German, Velev’s Encoding f(x1) f(x1) vf1 vf1 f(x2) f(x2) vf2 ITE(x1=x2, vf1, vf2) x1=x2  vf1 = vf2 Eliminating Function applications • Two applications of an uninterpreted function f in a formula • f(x1) and f(x2) Favors positive equality analysis

  5. EUF • Logic of Equality with Uninterpreted Functions • Terms ITE(F, T1, T2) If-then-else f (T1, …, Tk) Function application • Formulas F, F1F2, F1F2 Boolean connectives T1 = T2 Equation p (T1, …, Tk) Predicate application • Special Cases v Domain variable (order-0 function) a Propositional variable (order-0 predicate)

  6. Function-application terms: {x, y, g(x), g(y), f(g(x), f(g(y) }  = k = 6  f f = g g x y (x=y)  (f(g(x)) = f(g(y)) EUF and small-model property Small Model Property for Validity [Ackermann ’54] • Suffices to consider a domain with k values • k is the number of distinct function application terms in the formula • Number of cases (interpretations) to check: k!

  7. = p-formulas  f f p-terms = g g g-formulas x y (x=y)  (f(g(x)) = f(g(y)) General (g) Functions x,y Positive (p) Functions f,g Positive Equality for EUF [Bryant, German, Velev CAV’99] Classify formulas, terms, functions into • Positive (p) • General (g) Positive (p) formulas • Negated even no. of times • Do not control ITE Positive (p) terms • Never appears in a g-formula equation Positive (p) function symbols • All applications are p-terms

  8. Ø = g h Ú = g h g x y Maximally Diverse Interpretations • An interpretation I is maximally diverse if: • For any p-function symbol f • I [f(T1) = f(T2)] iff I [T1=T2] • I [f(T)]  I [g(U)], for any other function symbolg where f(T1), f(T2), g(U) are terms in the formula Terms Equal? x y Potentially g (x) g (y)Only if x= y g (x) yNo

  9. Maximally Diverse Interpretations • An interpretation I is maximally diverse if: • For any p-function symbol f • I [f(T1) = f(T2)] iff I [T1=T2] • I [f(T1)]  I [g(U)], for any other function symbolg where f(T1), f(T2), g(U) are terms in the formula • Property • Formula valid if and only if true under all maximally diverse interpretations

  10. Ø = g h Ú = g h Create Worst Case for Validity • Falsify positive equation Create Worst Case for Validity • Falsify positive equation • Function applications yield distinct results Create Worst Case for Validity • Falsify positive equation • Function applications yield distinct results • Function arguments distinct g x y Justification of Maximal Diversity Property • For a formula F • For any interpretationI, there is a maximally diverse interpretation J, such that J[F] I[F]

  11. vf1 x1 = = iff x1=x2 x2 T F vf2 Exploiting Positive Equality • Property • P-function symbol f • Introduce variables vf1, …, vfn during elimination • Consider only diverse interpretations for variables vf1, …, vfn • vfiv for any other variable v • Example • Assuming vf1vf2 : f(x1) f(x2)

  12. Summary: Positive equality optimization • Eliminate function applications • Introduce vf1, …, vfn while eliminating function symbol f • For a p-function symbol f • Replace vf1, …, vfn with distinct constants • The only variables in the function-free formula are the vfi variables for g function symbols • m = number of g-function applications

  13. Positive Equality for EUF General (g) Functions x,y Positive Functions f,g • Property • Number of interpretations to consider = m! • m = number of g-function applications  =  f f = g g x y (x=y)  (f(g(x)) = f(g(y))

  14. Function-application terms: {x, y, g(x), g(y), f(g(x)), f(g(y)) } p applications: {g(x), g(y), f(g(x)), f(g(y)) } g applications: {x,y} Positive Equality for EUF General (g) Functions x,y Positive Functions f,g • Property • Number of interpretations to consider = m! • m = number of g-function applications m = 2 (x=y)  (f(g(x)) = f(g(y)) Search Space reduced from 6! to 2!

  15. Application of positive equality • Pipelined processor verification • Bryant, German and Velev CAV’99, Velev and Bryant DAC’00,.. • Observation: Most uninterpreted functions which appear in pipeline data-path are p-functions • E.g. ALU, Incrementer for PC, …. • Other Infinite-state system verification • Bryant, Lahiri, Seshia CAV’02 • Improves efficiency in benchmarks from cache-coherence verification, out-of-order processors, software benchmarks

  16. Impact of Positive Equality Positive equality can be exploited to improve performance [Bryant, Lahiri, Seshia CAV’02]

  17. Two applications of an uninterpreted function f in a formula f(x1) and f(x2) Can’t assign distinct values to vf1, vf2 for p-function symbol f Ignores the case when x1=x2 Ackermann’s Encoding f(x1) vf1 f(x2) vf2 x1=x2  vf1 = vf2 Ackermann’s encoding and positive equality

  18. Function-application terms: {x, f(x), f 2(x), f 3(x), f 4(x) } g-applications: {x, f(x), f 2(x), f 3(x), f 4(x) } p-applications: {} Limitation of positive equality analysis Positive Functions General Functions x,f • Limitation of previous approach • Not “robust” • Entire analysis fails even when a single application is negative  = f f  f = f x (f(x)=x)  (f(f(f(f(x)))) = f(f(f((x)))

  19. Function-application terms: {x, f(x), f 2(x), f 3(x), f 4(x) } p-terms: { f 2(x), f 3(x), f 4(x) } g-terms: {x, f(x)} Robust Positive Equality Analysis Positive Functions General Functions x,f • Look at each application instead of function symbols • Finer granularity for exploiting positive equality • [Lahiri, Bryant, Goel, Talupur TACAS’04]  = f f  f = f x (f(x)=x)  (f(f(f(f(x)))) = f(f(f((x)))

  20. Robust Positive Equality Analysis • Goal • If a variable vfi is a result of eliminating a p-term, then try to assign it a distinct constant • Question • Can we always assign the vfi variables for any p-term a distinct value? • Not always • Can we compute the set of p-terms that maximizes the number of vfi variables that can be assigned distinct values? • In general, NP-complete

  21. Outline • Robust positive equality • “Robust” maximal diversity theorem • Exploiting robust positive equality • Obstacles • Solutions • Results • Related work

  22. Robust Maximal Diversity • For an interpretation I • A p-term f(T) is called is g-arg-distinct, if there is no g-term f(U), such that I [T] = I[U]. • An interpretation I is robust maximally diverse if: • For every g-arg-distinct p-term f(T1), • I [f(T1) = f(T2)] iff I [T1=T2] • I [f(T)]  I [g(U)], for any other function symbolg where f(T1), f(T2), g(U) are terms in the formula

  23. g-arg-distinct Equals non f term Example I = {x, f 2(x), f 4(x)}, {f(x), f 3(x)} • For an interpretation I • A p-term f(T) is called is g-arg-distinct, if there is no g-term f(U), such that I [T] = I [U]. • An interpretation I is robust maximally diverse if: • For every g-arg-distinct p-term f(T1), • I [f(T1) = f(T2)] iff I [T1=T2] • I [f(T)]  I [g(U)], for any other function symbolg where f(T1), f(T2), g(U) are terms in the formula Non robust-maximally diverse interpretation  = P-term f f G-term  f = f x (f(x)=x)  (f(f(f(f(x)))) = f(f(f((x)))

  24. Robust Maximal Diversity Theorem • Generalization of positive equality • Any robust-maximally diverse interpretation is a maximally diverse interpretations • The subset inclusion can be proper • Consequence • Fewer interpretations to consider to check validity Theorem • Formula valid if and only if true under all robust maximally diverse interpretations

  25. f(x1),…,f(xl),…, f(xi),…,f(xn) Contains all the g-terms forf Exploiting Robust Positive Equality • Function applications f(x1),…,f(xn) • Introduce variables vf1, …, vfn during elimination • By Robust maximal diversity theorem • Assign a distinct constant to vfi, when i > l Value of vfi = Value of f(xi) • when xi does not equal {x1,…,xi-1} • i.e. when f(xi) is g-arg-distinct

  26. What we need • Eliminate the g-terms as early as possible • Constrained by the sub-expression ordering • e.g. f(x) has to be eliminated before eliminating f(f (x)) • Need the best topological order • Respects the sub-expression orderings • Maximizes the number of vf variables that can be assigned distinct constant value • Need to define this objective function precisely

  27. Function elimination and topological order • Requires a topological order on the terms • Respects the sub-expression order • Eliminate functions from sub-terms first • Example order • x, f(x), f 2(x), f 3(x), f 4(x) • Only order for this example  = f f  f = f x (f(x)=x)  (f(f(f(f(x)))) = f(f(f((x)))

  28. Function elimination and topological order • vf variables for every p-term can’t be assigned distinct values • P-terms that are subterms of a g-term with the same function. • Example order • x, f(x), f 2(x), f 3(x), f 4(x) • Only order for this example  = f  f = f f Always precedes the g-term f 2(x) x (f(f(x))=x)  (f(f(f(f(x)))) = f(f(f((x)))

  29. Topological ordering and the p-terms • Topological order < • Pos<(f) • Set of p-terms of f which do not precede any g-terms of f in < • Pos< = f Pos<(f)

  30. Topological ordering: Example 1 • Topological order < • Pos<(f) • Set of p-terms of f which do not precede any g-terms of f in < • Pos< = f Pos<(f)  = + f + f  f + = f Example • x< f(x) < f 2(x) < f 3(x) < f 4(x) • Pos<= {f 2(x), f 3(x), f 4(x)} x (f(x)=x)  (f(f(f(f(x)))) = f(f(f((x)))

  31. Topological ordering Property • The vfi variables which results when eliminating terms in Pos<can be assigned a distinct constant value Goal • Find the topological order “<” that maximizes the size of Pos< • Topological order < • Pos<(f) • Set of p-terms of f which do not precede any g-terms of f in < • Pos< = f Pos<(f)

  32. = g Not best forg f Not best forf Pos<={x, f(x)} g f Pos<={x, g(x)} x Pos<={x } (f(g(x)) = g(f(x))) Finding the best topological ordering With multiple non-zero arity function symbol • Best order may not be best for each symbol • Example • 3 topological orders on terms • x<g(x)<f(g(x))<f(x)<g(f(x)) • x< f(x)<g(f(x))<g(x)<f(g(x)) • x<g(x)< f(x)<g(f(x))<f(g(x))

  33. Obtaining best topological order • Complexity • NP-complete • Polynomial when only 1 non-zero arity function symbol • Reduction from the maximum independent set problem • Greedy heuristic to find a good order • Assign higher priorities to p-terms of functions with greater number of “potential” terms in Pos< • Finds the optimal order for most of the examples we have seen so far.

  34. Sample Results • Implemented in UCLID decision procedure • With Zchaff SAT-solver • Code Validation Benchmarks • [Pnueli, Rodeh, Strichman, Siegel CAV’99]

  35. Observations • Robust positive equality improves efficiency • Useful in practice • Small overhead (+5%) over positive equality analysis • Efficient implementation can further reduce this overhead • Seldom affects total time when translation time to SAT is a small fraction of the overall time

  36. Related work • Pnueli, Rodeh, Strichman & Siegel CAV’99 • Removes function applications by Ackermann’s reduction • Range allocation for the resultant formula • Assigns smaller ranges for g-terms • Rodeh & Strichman CAV’01 • Uses Bryant, German & Velev’s function elimination method + range allocation • Has similarities and differences with our work

  37. Conclusions • Positive Equality • Simplifies function-free formula by reducing the number of variables in the formula • Robust Positive Equality • Generalization of positive equality • Improves applicability for more general benchmarks • Can be extended for CLU logic • T1 < T2 + c [BLS02; Lahiri MS Thesis] • Can we generalize it for linear arithmetic + EUF?

  38. Questions

  39. Decision Procedure Benchmarking • Compared against Stanford Validity Checker (SVC) & • its successor CVC (which uses Chaff) • Decides CLU + real linear arith. + bit-vector arith. • UCLID uses Chaff for Boolean SAT • UCLID time = translation time + Chaff time

  40. Impact of Positive Equality Positive equality can be exploited to improve performance

  41. vf1 x1 = = iff x1=x2 x2 T F vf2 Exploiting Positive Equality • Property • P-function symbol f • Introduce variables vf1, …, vfn during elimination • Consider only diverse interpretations for variables vf1, …, vfn • vfiv for any other variable v • Example • Assuming vf1vf2 :

  42. =  F x1 vf1  = vf2 x2 f f Compare: Ackermann’s Method • Replacing Application • Introduce new domain variable • Enforce functional consistency by global constraints • Unclear how to generate diverse interpretations

  43. Decision Procedures in Verification • Work-horse for many automated verification methodologies • Processor and Protocol verification • Pipelined processor verification • Burch & Dill CAV’94, Bryant, German & Velev CAV’99,… • Out-of-order processor and cache coherence verification • Lahiri, Seshia & Bryant FMCAD’02, Bryant, Lahiri & Seshia CAV’02 • Predicate abstraction • Software verification • SLAM (MSR), BLAST (Berkeley), MAGIC (CMU),… • Protocol verification • Das, Dill & Park CAV’99,

  44. Decision Procedures for quantifier-free fragment of first-order logic • Principal theories • Logic of equality with uninterpreted functions • f(x) = f(g(y)) • Linear arithmetic • Difference-bound logic subset ( T1 < T2 + c) • Full linear arithmetic • Arrays • read and write operations • Tools • SVC/CVC from Stanford (FMCAD ’96, CAV’02, CAV ‘04) • UCLID from CMU (CAV’02, CAV’04) • ICS from SRI (CAV ’01) • Simplify/Verifun from HP (CAV ’03) • Zapato from Microsoft (CAV ’04) • ……

  45. Revisiting Positive Equality Shuvendu K. Lahiri Randal E. Bryant Amit Goel Muralidhar Talupur Carnegie Mellon University

  46. Conclusions • Generalization of Bryant et al’s positive equality analysis • Subsumes original positive equality • Exploiting robust positive equality in a decision procedure • Problems and heuristics • Future Work • Integrate smaller range-allocation for the g-terms • Pnueli et al. CAV’99, Talupur et al. CAV’04

  47. Positive Equality for EUF General (g) Functions x,y Positive Functions f,g • Split the set of terms into • p-terms • Function applications of p-functions • g-terms • Function applications of g-functions  =  f f = g g x y (x=y)  (f(g(x)) = f(g(y))

  48. Definition • P-term • Term which never appear in equations that are g-formulas • G-term • Term which appears at least once in an equation that is a g-formula  = f f  f p-terms = f g-terms x (f(x)=x)  (f(f(f(f(x)))) = f(f(f((x)))

  49. f vf1 x1 = f x2 T F vf2 = = x3 f T F T F vf3 Eliminating Function Applications • Bryant, German & Velev CAV’99 • Replacing Application • Introduce new domain variable • Nested ITE structure maintains functional consistency

  50. 0 1 0 Args not equal with the g-term 1 0 Equals non f term Robust maximally diverse interpretations I = {x  0, f(0)  1, f(1)  0,..} • P-term h(T1,…, Tn) • If args. do not equal the args. of any g-term h(U1,…,Un), then • Can only equal other h application terms with equal arguments • Property • Formula valid if and only if true under all robust maximally diverse interpretations Non robust-maximally diverse interpretation  = P-term f f G-term  f = f x (f(x)=x)  (f(f(f(f(x)))) = f(f(f((x)))

More Related