Title: Theorem Proving for FOL Satisfiability Procedures
1Theorem Proving for FOLSatisfiability Procedures
2Review
- Recall the we use the following logic
- Goals G L true G1 Æ G2 H
) G 8x. G - Hypotheses H L true H1 Æ H2
- Literals L p(E1, , Ek)
- Expressions E n f(E1, , Em)
- This is sufficient for VCGen iff
- The invariants, preconditions and postcond. are
all from H
3A Simple and Complete Prover
- Define the following symbolic prove algorithm
- Prove(H, G) - prove the goal H ) G
- Prove(H, true) true
- Prove(H, G1 Æ G2) prove(H, G1) prove(H,
G2) - Prove(H, H1 ) G2) prove(H Æ H1, G2)
- Prove(H, 8x. G) prove(H, Ga/x) (a is
fresh) - Prove(H, L) unsat(H Æ L)
- We have a simple, sound and complete prover
- If we have a way to check unsatisfiability of
sets of literals
4How Powerful is Our Prover?
- With VCGen in mind we must restrict invariants to
- H L true H1 Æ H2
- No disjunction, implication or quantification !
- Is that bad ?
- Consider the function
- void insert(LIST a, LIST b)
- LIST t a-gtnext a-gtnext b
b-gtnext t -
- And the problem is to verify that
- It preserves linearity all list cells are
pointed to by at most one other list cell - Provided that b is non-NULL and not pointed to by
any cell
5Lists and Linearity
- A bit of formal notation (remember the sel/upd)
- We write sel(n, a) to denote the value of
a-gtnext given the state of the next field is
n - We write upd(n, a, b) to denote the new state of
the next field after a-gtnext b - Code is void insert(LIST a, LIST b)
- LIST t a-gtnext a-gtnext
b b-gtnext t - Pre is (8q. q ¹ 0 ) 8p1.8p2. sel(n, p1) sel(n,
p2) q ) p1 p2) - Æ b ¹ 0 Æ 8p. sel(n, p) ¹ b) Æ a ¹ 0
- Post is (8q. q ¹ 0 ) 8p1.8p2. sel(n, p1) sel(n,
p2) q ) p1 p2) - VC is Pre ) Postupd(upd(n, a, b), b, sel(n,
a)) / n Not a G !
6Two Solutions
- So it is quite easy to want to step outside H
- So what can we do?
- Extend the language of H
- And then extend the prover
- Push the complexity of invariants into literals
- And then extend the unsatisfiability procedure
7Goal Directed Theorem Proving (1)
- Finally we extend the use of quantifiers
- G L true G1 Æ G2 H ) G 8x. G 9x. G
- H L true H1 Æ H2 8x. H
- We have now introduced an existential choice
- Both in H ) 9x. G and 8x.H ) G
- Existential choices are postponed
- Introduce unification variables unification
- prove(H, 9x.G) prove(H, Gu/x ) (u is a
unif var) - prove(H, u t) instantiate u with t if u
Ï FV(t) - Still sound and complete goal directed proof
search ! - Provided that unsat can handle unification
variables !
8Goal Directed Theorem Proving (2)
- We can add disjunction (but only to goals)
- G true L G1 Æ G2 H ) G 8x. G G1 Ç
G2 - Extend prover as follows
- prove(H, G1 Ç G2) prove(H, G1) prove(H,
G2) - This introduces a choice point in proof search
- Called a disjunctive choice
- Backtracking is complete for this choice
selection - But only in intuitionistic logic !
9Goal Directed Theorem Proving (3)
- Now we extend a bit the language of hypotheses
- Important since this adds flexibility for
invariants and specs. - H L true H1 Æ H2 G )
H - We extend the prover as follows
- prove(H, (G1 ) H1) ) G)
- prove(H, G) (prove(H Æ H1, G)
prove(H, G1)) - This adds another choice (clause choice in
Prolog) expressed here also as a disjunctive
choice - Still complete with backtracking
10Goal Directed Theorem Proving (4)
- The VC for linear lists can be proved in this
logic ! - This logic is called Hereditary Harrop Formulas
- But the prover is not complete in a classical
sense - And thus complications might arise with certain
theories - Still no way to have disjunctive hypotheses
- The prover becomes incomplete even in
intuitionistic logic - E.g., cannot prove even that P Ç Q ) Q Ç P
- Lets try the other method instead
11A Theory of Linear Lists
- Push the complexity into literals
- Define new literals
- linear(n) def 8q. q ¹ 0 ) 8p1.8p2. sel(n, p1)
sel(n, p2) q ) p1 p2 - rc0(n, b) def b ¹ 0 ) 8p. sel(n, p) ¹ b
- Now the predicates become
- Pre is linear(n) Æ rc0(n, b) Æ a ¹ 0 Æ b ¹ 0
- Post is linear(n)
- VC is linear(n) Æ rc0(n, b) Æ a ¹ 0 Æ b ¹ 0 )
- linear(upd(upd(n, a,
b), b, sel(n, a)))) This is a G ! - The hard work is now in the satisfiability
procedure
12A Theory of Linear Lists
- In order to allow the prover to work with
linear and rc0 we must define their meaning - Semantically (by giving the definitions from
before) - Axiomatically (by giving a set of axioms that
define them)
- Now we can prove the VC with just three uses of
these axioms - Is this set of axioms complete?
13Discussion
- It makes sense to push hard work in literals
- Can be handled in a customized way within the Sat
procedures - The hand-crafted inference rules guide the prover
- The inference rules are useful lemmas
- Important technique 3
- Just like in type inference, or data flow
analysis
14Theories
- Now we turn to unsat(L1, , Lk)
- A theory consists of
- A set of function and predicate symbols (syntax)
- Definitions for the meaning of these symbols
(semantics) - Semantic or axiomatic definitions
- Example
- Symbols 0, 1, -1, 2, -2, , , -, , lt (with
the usual meaning) - Theory of integers with arithmetic (Presburger
arithmetic)
15Decision Procedures for Theories
- The Decision Problem
- Decide whether a formula in a theory FOL is
true - Example
- Decide whether 8x. x gt 0 ) (9 y. x y 1) in
N, , , gt - A theory is decidable when there is an algorithm
that solves the decision problem for the theory - This algorithm is the decision procedure for the
theory
16Satisfiability Procedures for Theories
- The Satisfiability Problem
- Decide whether a conjunction of literals in the
theory is satisfiable - Factor out the FOL part of the decision problem
- This is what we need to solve in our simple
prover - We will explore a few useful theories and
satisfiability procedures for them
17Examples of Theories. Equality.
- The theory of equality with uninterpreted
functions - Symbols , ¹, f, g,
- Axiomatically defined
- Example of a satisfiability problem
- g(g(g(x)) x Æ g(g(g(g(g(x))))) x
Æ g(x) ¹ x
18A Satisfiability Procedure for Equality
- Definitions
- Let R be a relation on terms
- The equivalence closure of R is the smallest
relation that is closed under reflexivity,
symmetry and transitivity - An equivalence relation
- Equivalence classes
- Given a term t we say that t is its
representative - Two terms t1 and t2 are equivalent iff t1 t2
- Computable in near-linear time (union-find)
- The congruence closure of a relation is the
smallest relation that is closed under
equivalence and congruence
19A Representation for Symbolic Terms
- We represent terms as DAGs
- Share common subexpressions
- E.g. f(f(a, b), b)
f
f
a
b
- Equalities are represented as dotted edges
- E.g. f(f(a, b), b) a
- We consider the transitive closure of dotted edges
20Computing Congruence Closure
- We pick arbitrary representativs for all
equivalence classes (nodes connected by dotted
edges) - For all nodes t f(t1, , tn) and s f(s1, ,
sn) - If ti si for all i 1..n (find)
- We add an edge between t and s and pick one of
them as the representative for the entire class
(union)
f
f
f
f
a
b
a
b
21Computing Congruence Closure (Cont.)
- Congruence closure is an inference procedure for
the theory of equality - Always terminates because it does not add nodes
- The hard part is to detect the congruent pairs or
terms - There are tricks to do this in O(n log n)
- We say that f(t1, , tn) is represented in the
DAG if there is a node f(s1, , sn) such that si
ti
22Satisfiability Procedure for Equality
- Given F Æi ti ti Æ Æj uj ¹ uj
- Represent all terms in the same DAG
- Add dotted edges for tI tI
- Construct the congruence closure of those edges
- Check that 8j. uj ¹ uj
- Theorem F is satisfiable iff 8j. uj ¹
uj
23Example with Congruence Closure
- Consider g(g(g(x)) x Æ g(g(g(g(g(x))))) x Æ
g(x) ¹ x
24Congruence Closure. Discussion.
- The example from before has little to do with
program verification - But equality is still very useful
- The congruence closure algorithm is the basis for
many unification-based satisfiability procedures - We add the additional axiom
- Or equivalently
25Presburger Arithmetic
- The theory of integers with , -, , gt
- The most useful in program verification after
equality - And quite useful for program analysis also
- Example of a satisfiability problem
- y gt 2x 1 Æ y x gt 1 Æ y lt 0
- Satisfiability of a system of linear inequalities
- Known to be in P (with rational solutions)
- Some of the algorithms are quite simple
- If we add the requirement that solutions are in Z
then the problem is NP-complete
26Difference Constraints
- A special case of linear arithmetic
- All constraints of the form
- xi - xj c or xi - 0 c or
0 - xj c - The most common form of constraint
- Construct a directed graph with
- A node for 0
- A node for each variable xi
- A edge from xi to xj of weight c for each xi - xj
c
c
xj
xi
27Difference Constraints
- Theorem
- A set of difference constraints is
satisfiable iff there is no negative weight cycle
in the graph - Can be solved with Bellman-Ford in O(n2)
- In practice n is typically quite small
- In practice we use incremental algorithms (to
account for assumptions being pushed and popped) - Algorithm is complete !
- Was used successfully in array-bounds checking
elimination and induction variable discovery
28Extensions of Difference Constraints
- Shostak extended the algorithm to ax by c
- Construct a graph as before
- One node for each variable
- One undirected edge for each constraint
- An admissible loop in this graph is a loop in
which any two adjacent edges ax by c and
dy ez f have sgn(b) ¹ sgn(d) - The residue of such adjacent edges is a
constraint on x and z - ad x eb z cd fb
- The residue for a loop is an inequality without
variables - Theorem The inequalities are satisfiable iff all
residues for simple loops are satisfiable
29How Complete are These Procedures?
- Consider 3x 2y Æ 3y 4 Æ 3 2x
3
x
y
Residue is 13.5 8 ) satisfiable
2
4.5
But only in Q, not in Z
0
- The unsat procedure is sound unsat Q ) unsat Z
- But it is incomplete !
- Not a problem in practice
- Or the problem goes away with tricks like this
- Transform ax b into x d b/a e
30Arithmetic. Discussion
- There are many satisfiability algorithms
- Even for the general case (e.g. Simplex)
- Except for difference constraints, all are
incomplete in Z - But Z can be handled well with heuristics
- There are no practical satisfiability procedures
for (Q, ) and the satisfiability of (Z, ) is
only semi-decidable
31Combining Satisfiability Procedures
- We have developed sat. procedures for several
theories - We considered each theory in part
- Can we combine several sat. procedures?
- Consider equality and arithmetic
32Combining Satisfiability Procedures
- Combining satisfiability procedures is non
trivial - And that was to be expected
- (Z, ) and (Q, ) are decidable, but (Z, ) is
not - Equality was solved by Ackerman in 1924,
arithmetic by Fourier even before, but E A only
in 1979 ! - Yet in any single verification problem we will
have literals from several theories - Equality, arithmetic, lists,
- When and how can we combine separate
satisfiability procedures?
33Nelson-Oppen Method (1)
- Represent all conjuncts in the same DAG
- f(f(x) - f(y)) ? f(z) Æ y x Æ x y z
Æ z 0
f
-
f
f
f
y
x
z
0
34Nelson-Oppen Method (2)
- Run each sat. procedure
- Require it to report all contradictions (as
usual) - Also require it to report all equalities between
nodes
f
-
f
f
f
y
x
z
0
35Nelson-Oppen Method (3)
- Broadcast all discovered equalities and re-run
sat. procedures - Until no more equalities are discovered or a
contradiction arises
f
x Contradiction
-
f
f
f
y
x
z
0
36Puzzle Constructive vs. Classical Proofs
- Prove the following fact
-
- Hint Try