1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.
-
date post
21-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.
![Page 1: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/1.jpg)
1
A propositional world
Ofer Strichman
School of Computer Science, Carnegie Mellon University
![Page 2: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/2.jpg)
2
Integrated decision procedures in Theorem-Provers
Deciding a combination of theories is the key for automationin Theorem Provers:
Boolean operators, Bit-vector, Sets, Linear-Arithmetic,Uninterpreted functions, More …
f(f(x)-f(y)) != f(z) & y <=x + 2 | b & 3 > 10
Uninterpreted functions
Linear Arithmetic
Bit-Vectoroperators
Normally, each theory is solved with its own decision procedure andthe results are combined (Shostak, Nelson..).
![Page 3: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/3.jpg)
3
Integrated decision procedures in Theorem-Provers
All of these theories, except linear arithmetic, have knownefficient direct reductions to propositional logic.
Thus, reducing linear arithmetic to propositional logic will:
1. Enable integration of theories in the propositional logic level.
2. Potentially be faster than known techniques.
![Page 4: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/4.jpg)
4
Linear Arithmetic and its sub-theories},,,,{
iii cxa
2x –3y +5z < 05x + 2w 2
Some useful methods for solving a conjunction of lineararithmetic expressions: 1. Simplex, Elliptic curve2. Variable Elimination Methods (Hodes, Fourier-Motzkin,..)3. Shostak’s loop residues4. Separation theory: Bellman / Pratt ...5. ...
![Page 5: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/5.jpg)
5
A decision procedure for separation theory
Separation predicates have the form x > y + cwhere x,y are real variables, and c is a constant
Pratt [73] (/Bellman[57]): Given a set of conjuncted separation predicates 1. Construct the `inequality graph’ 2. is satisfiable iff there is no cycle with non-negative
accumulated weight
: ( x > z +3 z > y –1 y > x+1)
x
y z
31
-1
![Page 6: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/6.jpg)
6
Handling disjunctions through case splitting
All previously mentioned algorithms handle disjunctionsby splitting the formula.
This can be thought of as a two stage process:
1. Convert formula to Disjunctive Normal Form (DNF)2. Solve each clause separately, until satisfying one of them.
(A common improvement: split ‘when needed’)
Case splitting is frequently the bottleneck of the procedure
![Page 7: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/7.jpg)
7
So what can be done against case-splitting ?
Given a formula , this transformation can be done if ’ s.t. |= |= ’, and ’ is decidable under a finite domain.
When is this possible?
• enjoys the ‘Small model property’, or• Tailor-made reduction
Answer: Split the domain, not the formula.
![Page 8: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/8.jpg)
8
SAT vs. infinite-state decision procedures
With finite instantiation (e.g. SAT), we split the domain.
Infinite state decision procedures split the formula.
So what’s the big difference ?
![Page 9: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/9.jpg)
10
SAT vs. infinite-state decision procedures
1. Pruning.
2. Learning.
3. Guidance (prioritizing internal steps)
Three mechanisms, crucial for efficient decision making:
SAT has a significant advantage in all three.
![Page 10: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/10.jpg)
11
SAT vs. infinite-state decision procedures (1/4)
1. Pruning
SAT: each clause c prunes up to 2|v|-|c| states.
Others: ? (stops when finds a satisfiable clause)
y
x0
01
1
Backtrack
Pruned!
.(x y) . .
|v|=1000, |c| =2Pruning 2998 states
![Page 11: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/11.jpg)
12
SAT vs. infinite-state decision procedures (2/4)
2. Learning
SAT: Partial assignments that lead to a conflict are recorded andhence not repeated.
Others: (depends on decision procedure) - Adding proved sub-goals as antecedents to new sub-goals
- …
![Page 12: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/12.jpg)
13
SAT vs. infinite-state decision procedures (3/4)
3. Guidance (prioritizing internal steps)
Guidance requires efficient estimation:
Consider 1 2, where 1 is unsat and hard, and 2 is sat and easy.
With proper guidance, a theorem prover should start from 2.
- How hard it is to solve each sub-formula?
- To what extent will it simplify the rest of the proof?
![Page 13: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/13.jpg)
14
SAT vs. infinite-state decision procedures (4/4)
3. Guidance (cont’d)
“..To what extent will it simplify the rest of the proof?”
SAT: Guidance through decision heuristics (e.g. DLIS).
Others: Expression ordering, ...
(x y z)(x v)(~x ~z)
Estimating simplification by counting literals
in each phase
![Page 14: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/14.jpg)
15
Example: Equality Logic with Uninterpreted Functions (1/3)
Equality Logic with Uninterpreted Functions:
))(),((),()()( 2121 yfxfgzuugzyfuxfu
(Uninterpreted functions are reducible to equality logic. Thus, we can concentrate on equality logic)
Traditional infinite-state decision procedure:Congruence Closure with case splitting.
![Page 15: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/15.jpg)
16
Example: Equality Logic (2/3)
Since 1998, several groups devised finite-state decision procedures for this theory:
• Goel et. al. (CAV’98) – Boolean encoding and BDDs
• Bryant et. al. (CAV’99) – Positive-equality + finite instantiation
• Pnueli et. al. (CAV’99) – Small domains instantiation
• Bryant et. al. (CAV’00) – Boolean encoding with explicit constraints
![Page 16: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/16.jpg)
18
Example: Equality Logic (3/3)
Let (x=y, y=z, x=z) be the equality predicates in .
x
y z
exyexz
eyz
2. Impose transitivity on cycles: exy + eyz + exz 2
1. Construct the equality graph.
The resulting formula is propositional BDDs , SAT, etc.
Bryant et. al. (CAV’00): Add transitivity constraints to the formula.
![Page 17: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/17.jpg)
20
This work
1. Separation predicates:
2. Separation predicates for integers:
3. Linear arithmetic:
4. Integer linear arithmetic:
czyxyx 232;real:,
cyxyx ;real:,
cyxyx int;:,
czyxyx 232int;:,
Extends the results of Bryant et.al. to a Boolean combination of:
Done
},{
![Page 18: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/18.jpg)
21
Usability
Separation predicates: “Most verification conditions involving inequalities are separation predicates” [Pratt, 1973]: Array bounds checks, tests on index variables, timing constraints,
worst execution time analysis, etc.
Linear arithmetic: All of the above + …+ Linear programming, + Integer Linear programming.
![Page 19: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/19.jpg)
22
Reducing separation predicates to propositional logic (1/6)
: f(x) > f(y+1)
: (x=y+1 f1=f2) (f1>f2)
A. Normalize (example):
: (x>y+1 y>x-1 (f1 f2 f2 f1)) (f1>f2)
1. Uninterpreted functions equality logic
xy+1 f1=f2
Now has no negations and only the ‘>’ and ‘’ predicate symbols.
2. Normal form
![Page 20: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/20.jpg)
25
x
y z
31
-1
Reducing separation predicates to propositional logic (3/6)
: ( x > z +3 (z > y –1 y x+1))
e yz ,1
, e xy,1,’:
Transitivity constraintse zx
,3, ( ))(
B. Encode + construct graph (example):
x
y z
-3-1
1
Separationgraph:
and itsdual:
![Page 21: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/21.jpg)
27
x
y z
31
-1
Reducing separation predicates to propositional logic (5/6)
e yz ,1
, e xy,1,’:
Transitivity constraintse zx
,3, ( ))(
C. Add transitivity constraints for each simple cycle (example):
’: (( ))e zx,3, e yz
,1, e xy
,1, e yz
,1, e xy
,1,e zx
,3, ( ))(
x
y z
-3-1
1
![Page 22: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/22.jpg)
29
Compact representation of constraints (1/4)
.....
In most cases - yes.
e.g. If the diamonds are ‘balanced’ (c1 + c2 = c3 + c4) O(n) constraints
.....c1c2
c1+ c2
n diamonds 2n simple cycles.
Can we do better than that ?
c3c4
![Page 23: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/23.jpg)
30
Compact representation of constraints (2/4)
Chordal graphs: each cycle of size greater than 3, has a ‘chord’.
In the equality predicates case:Let C be a cycle in GLet be an assignment that violates C’s transitivity ( | C)
Theorem: there exists a cycle c of size 3 in G s.t. | c
Conclusion: add transitivity constraints only for triangles.
Now only a polynomial no. of constraints is required.
G:
![Page 24: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/24.jpg)
31
Compact representation of constraints (3/4)
Our case is more complicated:• G is directed• G is a multi-graph • Edges have weights• There are two types of edges
G is chordal iff: Every directed cycle of size greater than 3 has a chord which ‘accumulates’ the weight of the path between its ends.
c1c2
c3 c4
c1+ c2
c5
![Page 25: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/25.jpg)
32
Compact representation of constraints (4/4)
Complexity of making the graph chordal:
1. If the diamonds are ‘balanced’ O(n) constraints
3. Worst case O(2n)
.....c1c1c1c1
c2c2c2c2
2. If there are uniform weights c1 and c2, c1 c2 on top and bottom
paths O(n2) constraints
![Page 26: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/26.jpg)
34
Extension to integer variables (1/2)cyxyx int;:,
Given with integer separation predicates, derive R:
• Declare all variables as real.
Theorem: is satisfiable iff R is satisfiable
(c is an integer)
• For each predicate x > y + c, add a constraint x > y + c x y + c + 1
![Page 27: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/27.jpg)
36
Experimental results (1/3)
.....
n diamonds
Each diamond has 2d edges
Top and bottom paths in each diamond are disjuncted.
There are 2n conjuncted cycles.
By adjusting the weights, we ensured that there is a single
satisfying assignment.
d=2
![Page 28: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/28.jpg)
37
Experimental results (2/3)
n d ICS PVS CoqGraphanalysis Chaff
3 2 < 1 < 1 < 14 2 5.9 < 1 < 15 2 95.1 < 1 < 1
7 4 > 104 > 104 < 1 < 1
100 5 > 104 32 < 1
250 5 > 104 754 1.6
500 5 > 104 > 104
To be continued...
![Page 29: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/29.jpg)
38
Experimental results (3/3)
M odel Steps ICS Graphanalysis Chaff
Load - 1 < 1 < 1 < 1store 2 87.1 < 1 < 1
unit 3 > 104 90 1Out-of- 2 < 1 < 1 < 1
order-unit 3 > 104 2.9 < 1Cache- 1 < 1 < 1 < 1Protocol 2 1.8 < 1 < 1
To be continued...
The procedure has recently been integrated into SyMP and Euclid.We currently experiment with real software verification problems.
![Page 30: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/30.jpg)
40
Next: Linear Arithmetic (1/2)
x > y + c x yc
c1c3
c2
Adding constraints according to accumulated cycle weight:
The test c1 + c2 + c3 > 0 results in a yes/no answer
Separation predicates:
![Page 31: 1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University.](https://reader038.fdocuments.in/reader038/viewer/2022110207/56649d6b5503460f94a4b07a/html5/thumbnails/31.jpg)
41
Next: Linear Arithmetic (2/2)
x > y + 2z + c x y2z + c
2z + c 3
2
x
yThe test 1 + 2 + 3 > 0 results in a new predicate!
Shostak[81]: ‘Deciding linear inequalities by computing loop residues’- Determine a fixed variable order- Represent each predicate by its two ‘highest’ variables
This procedure guarantees termination.
Linear Arithmetic: