A propositional world

1
A propositional world

• Ofer Strichman
• Joint work with
• Randal Bryant and Sanjit Seshia
• School of Computer Science, Carnegie Mellon
  University

2
Integrated decision procedures in Theorem-Provers
Deciding a combination of theories is the key for
automation in Theorem Provers Boolean
operators, Bit-vector, Sets, Linear-Arithmetic,
Uninterpreted functions, More
Bit-Vector operators
Linear Arithmetic
Uninterpreted functions
f(f(x)-f(y)) ! f(z) y ltx 2 b 3 gt 10
Normally, each theory is solved with its own
decision procedure and the results are combined
(Shostak, Nelson..).
3
Integrated decision procedures in Theorem-Provers
All of these theories, except linear arithmetic,
have known efficient direct reductions to
propositional logic.
Thus, reducing linear arithmetic to propositional
logic will 1. Enable integration of theories in
the propositional logic level. 2. Potentially
be faster than known techniques.
4
Linear Arithmetic and its sub-theories
2x 3y 5z lt 0 5x 2w ? 2

• Some useful methods for solving a conjunction of
  linear
• arithmetic expressions
• Simplex, Elliptic curve
• Variable Elimination Methods (Hodes,
  Fourier-Motzkin,..)
• Shostaks loop residues
• Separation theory Bellman / Pratt ...
• ...

5
A decision procedure for separation theory
Separation predicates have the form x gt y
c where x,y are real variables, and c is a
constant
Pratt 73 (/Bellman57) Given a set of
conjuncted separation predicates ? 1. Construct
the inequality graph 2. ? is satisfiable iff
there is no cycle with non-negative
accumulated weight
? ( x gt z 3 ? z gt y 1 ? y gt x1)
6
Handling disjunctions through case splitting

• All previously mentioned algorithms handle
  disjunctions
• by splitting the formula.
• This can be thought of as a two stage process
• Convert formula to Disjunctive Normal Form (DNF)
• Solve each clause separately, until satisfying
  one of them.

(A common improvement split when needed)
Case splitting is frequently the bottleneck of
the procedure
7
So what can be done against case-splitting ?
Answer Split the domain, not the formula.
Given a formula ?, this transformation can be
done if ?? s.t. ? ? ?, and ? is
decidable under a finite domain.

• When is this possible?
• ? enjoys the Small model property, or
• Tailor-made reduction

8
SAT vs. infinite-state decision procedures
With finite instantiation (e.g. SAT), we split
the domain. Infinite state decision procedures
split the formula. So whats the big
difference ?
9
SAT vs. infinite-state decision procedures
SAT splits the domain. Infinite state decision
procedures split the formula. So whats the big
difference ?
Three mechanisms, crucial for efficient decision
making
SAT has a significant advantage in all three.
10
SAT vs. infinite-state decision procedures
Three mechanisms, crucial for efficient decision
making
SAT has a significant advantage in all three.
11
SAT vs. infinite-state decision procedures (1/4)
1. Pruning
SAT each clause c prunes up to 2v-c states.
v1000, c 2 Pruning 2998 states
Others ? (stops when finds a satisfiable clause)
12
SAT vs. infinite-state decision procedures (2/4)
2. Learning
SAT Partial assignments that lead to a conflict
are recorded and hence not repeated.
Others (depends on decision procedure) -
Adding proved sub-goals as antecedents to new
sub-goals -
13
SAT vs. infinite-state decision procedures (3/4)
3. Guidance (prioritizing internal steps)
Consider ?1? ?2, where ?1 is unsat and hard, and
?2 is sat and easy.
With proper guidance, a theorem prover should
start from ?2.
Guidance requires efficient estimation
- How hard it is to solve each sub-formula?
- To what extent will it simplify the rest of the
proof?
14
SAT vs. infinite-state decision procedures (4/4)
3. Guidance (contd)
..To what extent will it simplify the rest of
the proof?
SAT Guidance through decision heuristics (e.g.
DLIS).
(x ? y ? z) (x ? v) (x ? z)
Estimating simplification by counting literals
in each phase
Others Expression ordering, ...
15
Example Equality Logic with Uninterpreted
Functions (1/3)
Equality Logic with Uninterpreted Functions
(Uninterpreted functions are reducible to
equality logic. Thus, we can concentrate on
equality logic) Traditional infinite-state
decision procedure Congruence Closure with case
splitting.
16
Example Equality Logic (2/3)

• Since 1998, several groups devised finite-state
  decision procedures
• for this theory
• Goel et. al. (CAV98) Boolean encoding and
  BDDs
• Bryant et. al. (CAV99) Positive-equality
  finite instantiation
• Pnueli et. al. (CAV99) Small domains
  instantiation
• Bryant et. al. (CAV00) Boolean encoding with
  explicit constraints

17
Example Equality Logic (3/4)

• Goel et. al (CAV98)
• Encode each equality ij with a new Boolean
  variable eij
• Construct BDD of encoded formula
• Search BDD for a consistent path leading to 1.

E.g. an assignment to three variables exy ,eyz ,
exz is consistent iff
exy eyz exz ? 2
18
Example Equality Logic (3/3)
Bryant et. al. (CAV00) Add transitivity
constraints to the formula.
Let (xy, yz, xz) be the equality predicates in
?.
1. Construct the equality graph.
2. Impose transitivity on cycles exy eyz
exz ? 2
The resulting formula is propositional ? BDDs ,
SAT, etc.
19
Example Equality Logic (contd)
The number of simple cycles can be exponential.
Bryant et. al. Suggested to first make the graph
chordal
In a chordal graph, every assignment that
violates transitivity, also violates
transitivity of a triangle. Hence it is
sufficient to impose Transitivity over triangles.
20
This work
Extends the results of Bryant et.al. to a Boolean
combination of

• Separation predicates
• Separation predicates for integers
• Linear arithmetic
• Integer linear arithmetic

Done
21
Usability
Separation predicates Most verification
conditions involving inequalities are
separation predicates Pratt, 1973 Array
bounds checks, tests on index variables, timing
constraints, worst execution time analysis,
etc.
Linear arithmetic All of the above Linear
programming, Integer Linear programming.
22
Reducing separation predicates to propositional
logic (1/6)
A. Normalize (example)
? f(x) gt f(y1)
1. Uninterpreted functions ? equality logic
? (xy1 ? f1f2) ? (f1gtf2)
2. Normal form
x?y1
f1f2
? (xgty1 ? ygtx-1 ? (f1 ? f2 ? f2 ? f1)) ?
(f1gtf2)
Now ? has no negations and only the gt and ?
predicate symbols.
23
Reducing separation predicates to propositional
logic (2/6)
A. Normalize (procedure)
1. Reduce Uninterpreted Functions to
equalities. 2. Rewrite equalities as conjunction
of inequalities, e.g. rewrite xyc as x ?
yc ? x ? yc . 3. Transform ? to Negation Normal
Form, and eliminate negations by reversing
inequality signs. 4. Rewrite lt and ?
predicates as gt and ?, e.g. rewrite x lt y
c as y gt x c .
24
Reducing separation predicates to propositional
logic (2/6)
A. Normalizing example
? z lt x -3 ? ?(z ? y 1 ? x gt y-1)
? x gt z 3 ? (z gt y 1 ? y ? x1)
25
Reducing separation predicates to propositional
logic (3/6)
B. Encode construct graph (example)
? ( x gt z 3 ? (z gt y 1 ? y ? x1))
Transitivity constraints
?
(
))
?
?
?
(
and its dual
Separation graph
26
Reducing separation predicates to propositional
logic (4/6)
B. Encode predicates and construct a graph
(procedure)
1. Construct a graph G(V,E), where V variables
in ?. Each edge e ? E is a 4-tuple (from, to,
weight, gt, ?)
3. Substitute each predicate in ? of the form x ?
yc with a Boolean variable , and add
an edge (x,y,c, ?) to E
27
Reducing separation predicates to propositional
logic (5/6)
C. Add transitivity constraints for each simple
cycle (example)
Transitivity constraints
))
?
?
?
(
(
?
(?(
))
))
?
?
(
?
(
?
?
?
28
Reducing separation predicates to propositional
logic (6/6)
C. Add transitivity constraints for each cycle C
1. If there are mixed edges If total weight
is not negative
If total weight is not positive
2. If all edges are ? ...
3. If all edges are gt ...
29
Compact representation of constraints (1/4)
n diamonds ? 2n simple cycles. Can we do better
than that ?
In most cases - yes. e.g. If the diamonds are
balanced (c1 c2 c3 c4) ? O(n) constraints
c1
c2
c1 c2
c3
c4
30
Compact representation of constraints (2/4)
Chordal graphs each cycle of size greater than
3, has a chord.
G
In the equality predicates case Let C be a cycle
in G Let ? be an assignment that violates Cs
transitivity (? ? C) Theorem there exists a
cycle c of size 3 in G s.t. ? ? c
Conclusion add transitivity constraints only for
triangles. Now only a polynomial no. of
constraints is required.
31
Compact representation of constraints (3/4)

• Our case is more complicated
• G is directed
• G is a multi-graph
• Edges have weights
• There are two types of edges

G is chordal iff Every directed cycle of size
greater than 3 has a chord which
accumulates the weight of the path between its
ends.
32
Compact representation of constraints (4/4)
Complexity of making the graph chordal
1. If the diamonds are balanced ? O(n)
constraints
3. Worst case ? O(2n)
33
Extension to integer variables (1/2)
Given ? with integer separation predicates,
derive ?R

• Declare all variables as real.
• Replace x gt y c, x ? y c where c is not an
  integer,
• with x ? y ?c?
• For each predicate x gt y c, add a constraint
• x gt y c ? x ? y c 1

Theorem ? is satisfiable iff ?R is satisfiable
34
Extension to integer variables (1/2)
(c is an integer)
Given ? with integer separation predicates,
derive ?R

• Declare all variables as real.

• For each predicate x gt y c, add a constraint
• x gt y c ? x ? y c 1

Theorem ? is satisfiable iff ?R is satisfiable
35
Extension to integer variables (2/2)
Example
? x,y int x gt y 1 ? x lt y 2
?R x,y real x gt y 1 ? y gt x - 2 ? (x gt
y 1 ? x ? y 2) ? (y gt x - 2 ? y ? x 1)
36
Experimental results (1/3)
d2
.....
n diamonds Each diamond has 2d edges Top and
bottom paths in each diamond are
disjuncted. There are 2n conjuncted cycles. By
adjusting the weights, we ensured that there is a
single satisfying assignment.
37
Experimental results (2/3)
To be continued...
38
Experimental results (3/3)
To be continued...
The procedure has recently been integrated into
SyMP and Euclid. We currently experiment with
real software verification problems.
39
Experimental results (1/2)
d2
.....
n diamonds Each diamond has 2d edges Top and
bottom paths in each diamond are
disjuncted. There are 2n conjuncted cycles. By
adjusting the weights, we ensured that there is a
single satisfying assignment.
40
Next Linear Arithmetic (1/2)
Separation predicates
c
x gt y c
y
x
Adding constraints according to accumulated cycle
weight
The test c1 c2 c3 gt 0 results in a yes/no
answer
41
Next Linear Arithmetic (2/2)
Linear Arithmetic
2z c
x gt y 2z c
y
x
The test ?1 ?2 ?3 gt 0 results in a new
predicate!
Shostak81 Deciding linear inequalities by
computing loop residues - Determine a fixed
variable order - Represent each predicate by its
two highest variables This procedure guarantees
termination.