Theorem Proving for FOL Satisfiability Procedures

1
Theorem Proving for FOLSatisfiability Procedures

• CS 294-8
• Lecture 11

2
Review

• Recall the we use the following logic
• Goals G L true G1 Æ G2 H
  ) G 8x. G
• Hypotheses H L true H1 Æ H2
• Literals L p(E1, , Ek)
• Expressions E n f(E1, , Em)
• This is sufficient for VCGen iff
• The invariants, preconditions and postcond. are
  all from H

3
A Simple and Complete Prover

• Define the following symbolic prove algorithm
• Prove(H, G) - prove the goal H ) G
• Prove(H, true) true
• Prove(H, G1 Æ G2) prove(H, G1) prove(H,
  G2)
• Prove(H, H1 ) G2) prove(H Æ H1, G2)
• Prove(H, 8x. G) prove(H, Ga/x) (a is
  fresh)
• Prove(H, L) unsat(H Æ L)
• We have a simple, sound and complete prover
• If we have a way to check unsatisfiability of
  sets of literals

4
How Powerful is Our Prover?

• With VCGen in mind we must restrict invariants to
  
• H L true H1 Æ H2
• No disjunction, implication or quantification !
• Is that bad ?
• Consider the function
• void insert(LIST a, LIST b)
• LIST t a-gtnext a-gtnext b
  b-gtnext t
• And the problem is to verify that
• It preserves linearity all list cells are
  pointed to by at most one other list cell
• Provided that b is non-NULL and not pointed to by
  any cell

5
Lists and Linearity

• A bit of formal notation (remember the sel/upd)
• We write sel(n, a) to denote the value of
  a-gtnext given the state of the next field is
  n
• We write upd(n, a, b) to denote the new state of
  the next field after a-gtnext b
• Code is void insert(LIST a, LIST b)
• LIST t a-gtnext a-gtnext
  b b-gtnext t
• Pre is (8q. q ¹ 0 ) 8p1.8p2. sel(n, p1) sel(n,
  p2) q ) p1 p2)
• Æ b ¹ 0 Æ 8p. sel(n, p) ¹ b) Æ a ¹ 0
• Post is (8q. q ¹ 0 ) 8p1.8p2. sel(n, p1) sel(n,
  p2) q ) p1 p2)
• VC is Pre ) Postupd(upd(n, a, b), b, sel(n,
  a)) / n Not a G !

6
Two Solutions

• So it is quite easy to want to step outside H
• So what can we do?
• Extend the language of H
• And then extend the prover
• Push the complexity of invariants into literals
• And then extend the unsatisfiability procedure

7
Goal Directed Theorem Proving (1)

• Finally we extend the use of quantifiers
• G L true G1 Æ G2 H ) G 8x. G 9x. G
• H L true H1 Æ H2 8x. H
• We have now introduced an existential choice
• Both in H ) 9x. G and 8x.H ) G
• Existential choices are postponed
• Introduce unification variables unification
• prove(H, 9x.G) prove(H, Gu/x ) (u is a
  unif var)
• prove(H, u t) instantiate u with t if u
  Ï FV(t)
• Still sound and complete goal directed proof
  search !
• Provided that unsat can handle unification
  variables !

8
Goal Directed Theorem Proving (2)

• We can add disjunction (but only to goals)
• G true L G1 Æ G2 H ) G 8x. G G1 Ç
  G2
• Extend prover as follows
• prove(H, G1 Ç G2) prove(H, G1) prove(H,
  G2)
• This introduces a choice point in proof search
• Called a disjunctive choice
• Backtracking is complete for this choice
  selection
• But only in intuitionistic logic !

9
Goal Directed Theorem Proving (3)

• Now we extend a bit the language of hypotheses
• Important since this adds flexibility for
  invariants and specs.
• H L true H1 Æ H2 G )
  H
• We extend the prover as follows
• prove(H, (G1 ) H1) ) G)
• prove(H, G) (prove(H Æ H1, G)
  prove(H, G1))
• This adds another choice (clause choice in
  Prolog) expressed here also as a disjunctive
  choice
• Still complete with backtracking

10
Goal Directed Theorem Proving (4)

• The VC for linear lists can be proved in this
  logic !
• This logic is called Hereditary Harrop Formulas
• But the prover is not complete in a classical
  sense
• And thus complications might arise with certain
  theories
• Still no way to have disjunctive hypotheses
• The prover becomes incomplete even in
  intuitionistic logic
• E.g., cannot prove even that P Ç Q ) Q Ç P
• Lets try the other method instead

11
A Theory of Linear Lists

• Push the complexity into literals
• Define new literals
• linear(n) def 8q. q ¹ 0 ) 8p1.8p2. sel(n, p1)
  sel(n, p2) q ) p1 p2
• rc0(n, b) def b ¹ 0 ) 8p. sel(n, p) ¹ b
• Now the predicates become
• Pre is linear(n) Æ rc0(n, b) Æ a ¹ 0 Æ b ¹ 0
• Post is linear(n)
• VC is linear(n) Æ rc0(n, b) Æ a ¹ 0 Æ b ¹ 0 )
  
• linear(upd(upd(n, a,
  b), b, sel(n, a)))) This is a G !
• The hard work is now in the satisfiability
  procedure

12
A Theory of Linear Lists

• In order to allow the prover to work with
  linear and rc0 we must define their meaning
• Semantically (by giving the definitions from
  before)
• Axiomatically (by giving a set of axioms that
  define them)

• Now we can prove the VC with just three uses of
  these axioms
• Is this set of axioms complete?

13
Discussion

• It makes sense to push hard work in literals
• Can be handled in a customized way within the Sat
  procedures
• The hand-crafted inference rules guide the prover
• The inference rules are useful lemmas
• Important technique 3
• Just like in type inference, or data flow
  analysis

14
Theories

• Now we turn to unsat(L1, , Lk)
• A theory consists of
• A set of function and predicate symbols (syntax)
• Definitions for the meaning of these symbols
  (semantics)
• Semantic or axiomatic definitions
• Example
• Symbols 0, 1, -1, 2, -2, , , -, , lt (with
  the usual meaning)
• Theory of integers with arithmetic (Presburger
  arithmetic)

15
Decision Procedures for Theories

• The Decision Problem
• Decide whether a formula in a theory FOL is
  true
• Example
• Decide whether 8x. x gt 0 ) (9 y. x y 1) in
  N, , , gt
• A theory is decidable when there is an algorithm
  that solves the decision problem for the theory
• This algorithm is the decision procedure for the
  theory

16
Satisfiability Procedures for Theories

• The Satisfiability Problem
• Decide whether a conjunction of literals in the
  theory is satisfiable
• Factor out the FOL part of the decision problem
• This is what we need to solve in our simple
  prover
• We will explore a few useful theories and
  satisfiability procedures for them

17
Examples of Theories. Equality.

• The theory of equality with uninterpreted
  functions
• Symbols , ¹, f, g,
• Axiomatically defined

• Example of a satisfiability problem
• g(g(g(x)) x Æ g(g(g(g(g(x))))) x
  Æ g(x) ¹ x

18
A Satisfiability Procedure for Equality

• Definitions
• Let R be a relation on terms
• The equivalence closure of R is the smallest
  relation that is closed under reflexivity,
  symmetry and transitivity
• An equivalence relation
• Equivalence classes
• Given a term t we say that t is its
  representative
• Two terms t1 and t2 are equivalent iff t1 t2
• Computable in near-linear time (union-find)
• The congruence closure of a relation is the
  smallest relation that is closed under
  equivalence and congruence

19
A Representation for Symbolic Terms

• We represent terms as DAGs
• Share common subexpressions
• E.g. f(f(a, b), b)

f
f
a
b

• Equalities are represented as dotted edges
• E.g. f(f(a, b), b) a
• We consider the transitive closure of dotted edges

20
Computing Congruence Closure

• We pick arbitrary representativs for all
  equivalence classes (nodes connected by dotted
  edges)
• For all nodes t f(t1, , tn) and s f(s1, ,
  sn)
• If ti si for all i 1..n (find)
• We add an edge between t and s and pick one of
  them as the representative for the entire class
  (union)

f
f
f
f
a
b
a
b
21
Computing Congruence Closure (Cont.)

• Congruence closure is an inference procedure for
  the theory of equality
• Always terminates because it does not add nodes
• The hard part is to detect the congruent pairs or
  terms
• There are tricks to do this in O(n log n)
• We say that f(t1, , tn) is represented in the
  DAG if there is a node f(s1, , sn) such that si
  ti

22
Satisfiability Procedure for Equality

• Given F Æi ti ti Æ Æj uj ¹ uj
• Represent all terms in the same DAG
• Add dotted edges for tI tI
• Construct the congruence closure of those edges
• Check that 8j. uj ¹ uj
• Theorem F is satisfiable iff 8j. uj ¹
  uj

23
Example with Congruence Closure

• Consider g(g(g(x)) x Æ g(g(g(g(g(x))))) x Æ
  g(x) ¹ x

24
Congruence Closure. Discussion.

• The example from before has little to do with
  program verification
• But equality is still very useful
• The congruence closure algorithm is the basis for
  many unification-based satisfiability procedures
• We add the additional axiom
• Or equivalently

25
Presburger Arithmetic

• The theory of integers with , -, , gt
• The most useful in program verification after
  equality
• And quite useful for program analysis also
• Example of a satisfiability problem
• y gt 2x 1 Æ y x gt 1 Æ y lt 0
• Satisfiability of a system of linear inequalities
• Known to be in P (with rational solutions)
• Some of the algorithms are quite simple
• If we add the requirement that solutions are in Z
  then the problem is NP-complete

26
Difference Constraints

• A special case of linear arithmetic
• All constraints of the form
• xi - xj c or xi - 0 c or
  0 - xj c
• The most common form of constraint
• Construct a directed graph with
• A node for 0
• A node for each variable xi
• A edge from xi to xj of weight c for each xi - xj
  c

c
xj
xi
27
Difference Constraints

• Theorem
• A set of difference constraints is
  satisfiable iff there is no negative weight cycle
  in the graph
• Can be solved with Bellman-Ford in O(n2)
• In practice n is typically quite small
• In practice we use incremental algorithms (to
  account for assumptions being pushed and popped)
• Algorithm is complete !
• Was used successfully in array-bounds checking
  elimination and induction variable discovery

28
Extensions of Difference Constraints

• Shostak extended the algorithm to ax by c
• Construct a graph as before
• One node for each variable
• One undirected edge for each constraint
• An admissible loop in this graph is a loop in
  which any two adjacent edges ax by c and
  dy ez f have sgn(b) ¹ sgn(d)
• The residue of such adjacent edges is a
  constraint on x and z
• ad x eb z cd fb
• The residue for a loop is an inequality without
  variables
• Theorem The inequalities are satisfiable iff all
  residues for simple loops are satisfiable

29
How Complete are These Procedures?

• Consider 3x 2y Æ 3y 4 Æ 3 2x

3
x
y
Residue is 13.5 8 ) satisfiable
2
4.5
But only in Q, not in Z
0

• The unsat procedure is sound unsat Q ) unsat Z
• But it is incomplete !
• Not a problem in practice
• Or the problem goes away with tricks like this
• Transform ax b into x d b/a e

30
Arithmetic. Discussion

• There are many satisfiability algorithms
• Even for the general case (e.g. Simplex)
• Except for difference constraints, all are
  incomplete in Z
• But Z can be handled well with heuristics
• There are no practical satisfiability procedures
  for (Q, ) and the satisfiability of (Z, ) is
  only semi-decidable

31
Combining Satisfiability Procedures

• We have developed sat. procedures for several
  theories
• We considered each theory in part
• Can we combine several sat. procedures?
• Consider equality and arithmetic

32
Combining Satisfiability Procedures

• Combining satisfiability procedures is non
  trivial
• And that was to be expected
• (Z, ) and (Q, ) are decidable, but (Z, ) is
  not
• Equality was solved by Ackerman in 1924,
  arithmetic by Fourier even before, but E A only
  in 1979 !
• Yet in any single verification problem we will
  have literals from several theories
• Equality, arithmetic, lists,
• When and how can we combine separate
  satisfiability procedures?

33
Nelson-Oppen Method (1)

• Represent all conjuncts in the same DAG
• f(f(x) - f(y)) ? f(z) Æ y x Æ x y z
  Æ z 0

f
-


f
f
f


y
x
z
0
34
Nelson-Oppen Method (2)

• Run each sat. procedure
• Require it to report all contradictions (as
  usual)
• Also require it to report all equalities between
  nodes

f
-


f
f
f


y
x
z
0
35
Nelson-Oppen Method (3)

• Broadcast all discovered equalities and re-run
  sat. procedures
• Until no more equalities are discovered or a
  contradiction arises

f
x Contradiction
-


f
f
f


y
x
z
0
36
Puzzle Constructive vs. Classical Proofs

• Prove the following fact
• Hint Try