A propositional world
Ofer Strichman
Joint work with
Randal Bryant and Sanjit Seshia
School of Computer Science, Carnegie Mellon University
1
Integrated decision procedures in
Theorem-Provers
Deciding a combination of theories is the key for automation
in Theorem Provers:
Boolean operators, Bit-vector, Sets, Linear-Arithmetic,
Uninterpreted functions, More …
Uninterpreted
functions
Linear
Arithmetic
Bit-Vector
operators
f(f(x)-f(y)) != f(z) & y <=x + 2 | b & 3 > 10
Normally, each theory is solved with its own decision procedure and
the results are combined (Shostak, Nelson..).
2
Integrated decision procedures in
Theorem-Provers
All of these theories, except linear arithmetic, have known
efficient direct reductions to propositional logic.
Thus, reducing linear arithmetic to propositional logic will:
1. Enable integration of theories in the propositional logic level.
2. Potentially be faster than known techniques.
3
Linear Arithmetic and its sub-theories
  {, , , , }
 ai xi  c
i
2x –3y +5z < 0
5x + 2w  2
Some useful methods for solving a conjunction of linear
arithmetic expressions:
1.
2.
3.
4.
5.
Simplex, Elliptic curve
Variable Elimination Methods (Hodes, Fourier-Motzkin,..)
Shostak’s loop residues
Separation theory: Bellman / Pratt ...
...
4
A decision procedure for separation theory
Separation predicates have the form x > y + c
where x,y are real variables, and c is a constant
Pratt [73] (/Bellman[57]):
Given a set of conjuncted separation predicates 
1. Construct the `inequality graph’
2.  is satisfiable iff there is no cycle with non-negative
accumulated weight
x
: ( x > z +3  z > y –1  y > x+1)
3
1
y
-1
z
5
Handling disjunctions through case splitting
All previously mentioned algorithms handle disjunctions
by splitting the formula.
This can be thought of as a two stage process:
1. Convert formula to Disjunctive Normal Form (DNF)
2. Solve each clause separately, until satisfying one of them.
(A common improvement: split ‘when needed’)
Case splitting is frequently the bottleneck of the procedure
6
So what can be done against case-splitting ?
Answer: Split the domain, not the formula.
Given a formula , this transformation can be done if
’ s.t. |=   |= ’, and ’ is decidable under a finite domain.
When is this possible?
•  enjoys the ‘Small model property’, or
• Tailor-made reduction
7
SAT vs. infinite-state decision procedures
With finite instantiation (e.g. SAT), we split the domain.
Infinite state decision procedures split the formula.
So what’s the big difference ?
8
SAT vs. infinite-state decision procedures
Three mechanisms, crucial for efficient decision making:
1. Pruning.
2. Learning.
3. Guidance (prioritizing internal steps)
SAT has a significant advantage in all three.
10
SAT vs. infinite-state decision procedures (1/4)
1. Pruning
x
1
SAT: each clause c prunes
up to 2|v|-|c| states.
0
Backtrack
y
1
0
.
(x  y)
.
.
Pruned!
|v|=1000, |c| =2
Pruning 2998 states
Others: ? (stops when finds a satisfiable clause)
11
SAT vs. infinite-state decision procedures (2/4)
2. Learning
SAT: Partial assignments that lead to a conflict are recorded and
hence not repeated.
Others: (depends on decision procedure)
- Adding proved sub-goals as antecedents to new sub-goals
-…
12
SAT vs. infinite-state decision procedures (3/4)
3. Guidance (prioritizing internal steps)
Consider 1 2, where 1 is unsat and hard, and 2 is sat and easy.
With proper guidance, a theorem prover should start from 2.
Guidance requires efficient estimation:
- How hard it is to solve each sub-formula?
- To what extent will it simplify the rest of the proof?
13
SAT vs. infinite-state decision procedures (4/4)
3. Guidance (cont’d)
“..To what extent will it simplify the rest of the proof?”
SAT: Guidance through decision heuristics (e.g. DLIS).
Estimating simplification by counting literals
in each phase
(x  y  z)
(x  v)
(~x  ~z)
Others: Expression ordering, ...
14
Example: Equality Logic with Uninterpreted
Functions (1/3)
Equality Logic with Uninterpreted Functions:
u1  f ( x)  u2  f ( y)  z  g (u1 , u2 )  z  g ( f ( x), f ( y))
(Uninterpreted functions are reducible to equality logic. Thus, we
can concentrate on equality logic)
Traditional infinite-state decision procedure:
Congruence Closure with case splitting.
15
Example: Equality Logic (2/3)
Since 1998, several groups devised finite-state decision procedures
for this theory:
• Goel et. al. (CAV’98) – Boolean encoding and BDDs
• Bryant et. al. (CAV’99) – Positive-equality + finite instantiation
• Pnueli et. al. (CAV’99) – Small domains instantiation
• Bryant et. al. (CAV’00) – Boolean encoding with explicit constraints
16
Example: Equality Logic (3/3)
Bryant et. al. (CAV’00): Add transitivity constraints to the formula.
Let (x=y, y=z, x=z) be the equality predicates in .
x
1. Construct the equality graph.
2. Impose transitivity on cycles:
exy + eyz + exz  2
exy
y
exz
eyz
z
The resulting formula is propositional  BDDs , SAT, etc.
18
This work
Extends the results of Bryant et.al. to a Boolean combination of:
  {, }
1. Separation predicates:
x, y : real;
x yc
x, y :int;
x yc
Done
2. Separation predicates for integers:
3. Linear arithmetic:
4. Integer linear arithmetic:
x, y : real;
2x  3 y  2z  c
x, y :int;
2x  3 y  2z  c
20
Usability
Separation predicates:
“Most verification conditions involving inequalities are
separation predicates” [Pratt, 1973]:
Array bounds checks, tests on index variables, timing constraints,
worst execution time analysis, etc.
Linear arithmetic: All of the above + …
+ Linear programming,
+ Integer Linear programming.
21
Reducing separation predicates to propositional logic (1/6)
A. Normalize (example):
: f(x) > f(y+1)
1. Uninterpreted functions  equality logic
: (x=y+1  f1=f2)  (f1>f2)
2. Normal form
xy+1
f1=f2
: (x>y+1  y>x-1  (f1  f2  f2  f1))  (f1>f2)
Now  has no negations and only the ‘>’ and ‘’ predicate symbols.
22
Reducing separation predicates to propositional logic (3/6)
B. Encode + construct graph (example):
: ( x > z +3  (z > y –1  y  x+1))
’: (
e
3 ,
x ,z
( e
1,
z,y

1,
y ,x
e
)) 
x
Separation
graph:
x
and its
dual:
3
1
y
Transitivity
constraints
-1
z
-3
-1
y
1
z
25
Reducing separation predicates to propositional logic (5/6)
C. Add transitivity constraints for each simple cycle (example):
1,
’: ( e3x,,z  (ez ,1y,  e y ,x)) 
Transitivity
constraints
’: ( e3x,,z  (ez ,1y,  e1y,,x))  (( e3x,,z  ez ,1y,  e1y,,x ))
x
x
3
1
y
-1
-3
-1
z
y
1
z
27
Compact representation of constraints (1/4)
n diamonds  2n simple cycles.
.....
Can we do better than that ?
In most cases - yes.
e.g. If the diamonds are ‘balanced’ (c1 + c2 = c3 + c4)  O(n) constraints
.....
c2
c1
c1+ c2
c4
c3
29
Compact representation of constraints (2/4)
Chordal graphs: each cycle of size greater than 3, has a ‘chord’.
G:
In the equality predicates case:
Let C be a cycle in G
Let  be an assignment that violates C’s transitivity ( | C)
Theorem: there exists a cycle c of size 3 in G s.t.  | c
Conclusion: add transitivity constraints only for triangles.
Now only a polynomial no. of constraints is required.
30
Compact representation of constraints (3/4)
Our case is more complicated:
• G is directed
• G is a multi-graph
• Edges have weights
• There are two types of edges
c2
c1
c1+ c2
c3
c4
c5
G is chordal iff:
Every directed cycle of size greater than 3 has a chord
which ‘accumulates’ the weight of the path between its ends.
31
Compact representation of constraints (4/4)
Complexity of making the graph chordal:
1. If the diamonds are ‘balanced’  O(n) constraints
2. If there are uniform weights c1 and c2, c1 c2 on top and bottom
paths  O(n2) constraints
c1
c1 c1
c1
c2
c2 c2
c2
.....
3. Worst case  O(2n)
32
Extension to integer variables (1/2)
x, y :int; x  y  c
(c is an integer)
Given  with integer separation predicates, derive R:
• Declare all variables as real.
• For each predicate x > y + c, add a constraint
x>y +c xy+c +1
Theorem:  is satisfiable iff R is satisfiable
34
Experimental results (1/3)
d=2
.....
n diamonds
Each diamond has 2d edges
Top and bottom paths in each diamond are disjuncted.
There are 2n conjuncted cycles.
By adjusting the weights, we ensured that there is a single
satisfying assignment.
36
Experimental results (2/3)
n
3
4
5
7
100
250
500
d
2
2
2
4
5
5
5
ICS
<1
5.9
95.1
> 104
> 104
> 104
> 104
Graph
PVS Coq analysis
<1
<1
<1
> 104
<1
32
754
> 104
Chaff
<1
<1
<1
<1
<1
1.6
To be continued...
37
Experimental results (3/3)
Model
Load store
unit
Out-oforder-unit
CacheProtocol
Steps
1
2
3
2
3
1
2
Graph
ICS analysis
<1
<1
87.1 < 1
> 104 90
<1
<1
> 104 2.9
<1
<1
1.8
<1
Chaff
<1
<1
1
<1
<1
<1
<1
To be continued...
The procedure has recently been integrated into SyMP and Euclid.
We currently experiment with real software verification problems.
38
Next: Linear Arithmetic (1/2)
Separation predicates:
x>y+c
x
c
y
Adding constraints according to accumulated cycle weight:
c3
c1
The test c1 + c2 + c3 > 0 results in a yes/no answer
c2
40
Next: Linear Arithmetic (2/2)
Linear Arithmetic:
x > y + 2z + c
x
2z + c
y
x
3
2
y
The test 1 + 2 + 3 > 0 results in a new predicate!
Shostak[81]: ‘Deciding linear inequalities by computing loop residues’
- Determine a fixed variable order
- Represent each predicate by its two ‘highest’ variables
This procedure guarantees termination.
41