A propositional world
31
1 A propositional world Ofer Strichman School of Computer Science, Carnegie Mellon University
-
Upload
xantha-contreras -
Category
Documents
-
view
18 -
download
0
description
A propositional world. Ofer Strichman School of Computer Science, Carnegie Mellon University. Integrated decision procedures in Theorem-Provers. Deciding a combination of theories is the key for automation in Theorem Provers: Boolean operators, Bit-vector, Sets, Linear-Arithmetic, - PowerPoint PPT Presentation
Transcript of A propositional world
1
A propositional world
Ofer Strichman
School of Computer Science, Carnegie Mellon University
2
Integrated decision procedures in Theorem-Provers
Deciding a combination of theories is the key for automationin Theorem Provers:
Boolean operators, Bit-vector, Sets, Linear-Arithmetic,Uninterpreted functions, More …
f(f(x)-f(y)) != f(z) & y <=x + 2 | b & 3 > 10
Uninterpreted functions
Linear Arithmetic
Bit-Vectoroperators
Normally, each theory is solved with its own decision procedure andthe results are combined (Shostak, Nelson..).
3
Integrated decision procedures in Theorem-Provers
All of these theories, except linear arithmetic, have knownefficient direct reductions to propositional logic.
Thus, reducing linear arithmetic to propositional logic will:
1. Enable integration of theories in the propositional logic level.
2. Potentially be faster than known techniques.
4
Linear Arithmetic and its sub-theories},,,,{
iii cxa
2x –3y +5z < 05x + 2w 2
Some useful methods for solving a conjunction of lineararithmetic expressions: 1. Simplex, Elliptic curve2. Variable Elimination Methods (Hodes, Fourier-Motzkin,..)3. Shostak’s loop residues4. Separation theory: Bellman / Pratt ...5. ...
5
A decision procedure for separation theory
Separation predicates have the form x > y + cwhere x,y are real variables, and c is a constant
Pratt [73] (/Bellman[57]): Given a set of conjuncted separation predicates 1. Construct the `inequality graph’ 2. is satisfiable iff there is no cycle with non-negative
accumulated weight
: ( x > z +3 z > y –1 y > x+1)
x
y z
31
-1
6
Handling disjunctions through case splitting
All previously mentioned algorithms handle disjunctionsby splitting the formula.
This can be thought of as a two stage process:
1. Convert formula to Disjunctive Normal Form (DNF)2. Solve each clause separately, until satisfying one of them.
(A common improvement: split ‘when needed’)
Case splitting is frequently the bottleneck of the procedure
7
So what can be done against case-splitting ?
Given a formula , this transformation can be done if ’ s.t. |= |= ’, and ’ is decidable under a finite domain.
When is this possible?
• enjoys the ‘Small model property’, or• Tailor-made reduction
Answer: Split the domain, not the formula.
8
SAT vs. infinite-state decision procedures
With finite instantiation (e.g. SAT), we split the domain.
Infinite state decision procedures split the formula.
So what’s the big difference ?
10
SAT vs. infinite-state decision procedures
1. Pruning.
2. Learning.
3. Guidance (prioritizing internal steps)
Three mechanisms, crucial for efficient decision making:
SAT has a significant advantage in all three.
11
SAT vs. infinite-state decision procedures (1/4)
1. Pruning
SAT: each clause c prunes up to 2|v|-|c| states.
Others: ? (stops when finds a satisfiable clause)
y
x0
01
1
Backtrack
Pruned!
.(x y) . .
|v|=1000, |c| =2Pruning 2998 states
12
SAT vs. infinite-state decision procedures (2/4)
2. Learning
SAT: Partial assignments that lead to a conflict are recorded andhence not repeated.
Others: (depends on decision procedure) - Adding proved sub-goals as antecedents to new sub-goals
- …
13
SAT vs. infinite-state decision procedures (3/4)
3. Guidance (prioritizing internal steps)
Guidance requires efficient estimation:
Consider 1 2, where 1 is unsat and hard, and 2 is sat and easy.
With proper guidance, a theorem prover should start from 2.
- How hard it is to solve each sub-formula?
- To what extent will it simplify the rest of the proof?
14
SAT vs. infinite-state decision procedures (4/4)
3. Guidance (cont’d)
“..To what extent will it simplify the rest of the proof?”
SAT: Guidance through decision heuristics (e.g. DLIS).
Others: Expression ordering, ...
(x y z)(x v)(~x ~z)
Estimating simplification by counting literals
in each phase
15
Example: Equality Logic with Uninterpreted Functions (1/3)
Equality Logic with Uninterpreted Functions:
))(),((),()()( 2121 yfxfgzuugzyfuxfu
(Uninterpreted functions are reducible to equality logic. Thus, we can concentrate on equality logic)
Traditional infinite-state decision procedure:Congruence Closure with case splitting.
16
Example: Equality Logic (2/3)
Since 1998, several groups devised finite-state decision procedures for this theory:
• Goel et. al. (CAV’98) – Boolean encoding and BDDs
• Bryant et. al. (CAV’99) – Positive-equality + finite instantiation
• Pnueli et. al. (CAV’99) – Small domains instantiation
• Bryant et. al. (CAV’00) – Boolean encoding with explicit constraints
18
Example: Equality Logic (3/3)
Let (x=y, y=z, x=z) be the equality predicates in .
x
y z
exyexz
eyz
2. Impose transitivity on cycles: exy + eyz + exz 2
1. Construct the equality graph.
The resulting formula is propositional BDDs , SAT, etc.
Bryant et. al. (CAV’00): Add transitivity constraints to the formula.
20
This work
1. Separation predicates:
2. Separation predicates for integers:
3. Linear arithmetic:
4. Integer linear arithmetic:
czyxyx 232;real:,
cyxyx ;real:,
cyxyx int;:,
czyxyx 232int;:,
Extends the results of Bryant et.al. to a Boolean combination of:
Done
},{
21
Usability
Separation predicates: “Most verification conditions involving inequalities are separation predicates” [Pratt, 1973]: Array bounds checks, tests on index variables, timing constraints,
worst execution time analysis, etc.
Linear arithmetic: All of the above + …+ Linear programming, + Integer Linear programming.
22
Reducing separation predicates to propositional logic (1/6)
: f(x) > f(y+1)
: (x=y+1 f1=f2) (f1>f2)
A. Normalize (example):
: (x>y+1 y>x-1 (f1 f2 f2 f1)) (f1>f2)
1. Uninterpreted functions equality logic
xy+1 f1=f2
Now has no negations and only the ‘>’ and ‘’ predicate symbols.
2. Normal form
25
x
y z
31
-1
Reducing separation predicates to propositional logic (3/6)
: ( x > z +3 (z > y –1 y x+1))
e yz ,1
, e xy,1,’:
Transitivity constraintse zx
,3, ( ))(
B. Encode + construct graph (example):
x
y z
-3-1
1
Separationgraph:
and itsdual:
27
x
y z
31
-1
Reducing separation predicates to propositional logic (5/6)
e yz ,1
, e xy,1,’:
Transitivity constraintse zx
,3, ( ))(
C. Add transitivity constraints for each simple cycle (example):
’: (( ))e zx,3, e yz
,1, e xy
,1, e yz
,1, e xy
,1,e zx
,3, ( ))(
x
y z
-3-1
1
29
Compact representation of constraints (1/4)
.....
In most cases - yes.
e.g. If the diamonds are ‘balanced’ (c1 + c2 = c3 + c4) O(n) constraints
.....c1c2
c1+ c2
n diamonds 2n simple cycles.
Can we do better than that ?
c3c4
30
Compact representation of constraints (2/4)
Chordal graphs: each cycle of size greater than 3, has a ‘chord’.
In the equality predicates case:Let C be a cycle in GLet be an assignment that violates C’s transitivity ( | C)
Theorem: there exists a cycle c of size 3 in G s.t. | c
Conclusion: add transitivity constraints only for triangles.
Now only a polynomial no. of constraints is required.
G:
31
Compact representation of constraints (3/4)
Our case is more complicated:• G is directed• G is a multi-graph • Edges have weights• There are two types of edges
G is chordal iff: Every directed cycle of size greater than 3 has a chord which ‘accumulates’ the weight of the path between its ends.
c1c2
c3 c4
c1+ c2
c5
32
Compact representation of constraints (4/4)
Complexity of making the graph chordal:
1. If the diamonds are ‘balanced’ O(n) constraints
3. Worst case O(2n)
.....c1c1c1c1
c2c2c2c2
2. If there are uniform weights c1 and c2, c1 c2 on top and bottom
paths O(n2) constraints
34
Extension to integer variables (1/2)cyxyx int;:,
Given with integer separation predicates, derive R:
• Declare all variables as real.
Theorem: is satisfiable iff R is satisfiable
(c is an integer)
• For each predicate x > y + c, add a constraint x > y + c x y + c + 1
36
Experimental results (1/3)
.....
n diamonds
Each diamond has 2d edges
Top and bottom paths in each diamond are disjuncted.
There are 2n conjuncted cycles.
By adjusting the weights, we ensured that there is a single
satisfying assignment.
d=2
37
Experimental results (2/3)
n d ICS PVS CoqGraphanalysis Chaff
3 2 < 1 < 1 < 14 2 5.9 < 1 < 15 2 95.1 < 1 < 1
7 4 > 104 > 104 < 1 < 1
100 5 > 104 32 < 1
250 5 > 104 754 1.6
500 5 > 104 > 104
To be continued...
38
Experimental results (3/3)
M odel Steps ICS Graphanalysis Chaff
Load - 1 < 1 < 1 < 1store 2 87.1 < 1 < 1
unit 3 > 104 90 1Out-of- 2 < 1 < 1 < 1
order-unit 3 > 104 2.9 < 1Cache- 1 < 1 < 1 < 1Protocol 2 1.8 < 1 < 1
To be continued...
The procedure has recently been integrated into SyMP and Euclid.We currently experiment with real software verification problems.
40
Next: Linear Arithmetic (1/2)
x > y + c x yc
c1c3
c2
Adding constraints according to accumulated cycle weight:
The test c1 + c2 + c3 > 0 results in a yes/no answer
Separation predicates:
41
Next: Linear Arithmetic (2/2)
x > y + 2z + c x y2z + c
2z + c 3
2
x
yThe test 1 + 2 + 3 > 0 results in a new predicate!
Shostak[81]: ‘Deciding linear inequalities by computing loop residues’- Determine a fixed variable order- Represent each predicate by its two ‘highest’ variables
This procedure guarantees termination.
Linear Arithmetic:
