260 likes | 397 Views
ECI 2007: Specification and Verification of Object-Oriented Programs. Lecture 7. Theory of lists. Formula := A | A Atom := t = t | t t t Term := c | car(t) | cdr(t) | cons(t,t) c SymConst. Axioms: x,y. car(cons(x,y)) = x x,y. cdr(cons(x,y)) = y
E N D
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 7
Theory of lists • Formula := A | A Atom := t = t | t t t Term := c | car(t) | cdr(t) | cons(t,t) c SymConst • Axioms: • x,y. car(cons(x,y)) = x • x,y. cdr(cons(x,y)) = y • Extend congruence closure to deal with these axioms
Car axiom Cdr axiom x = cons(u,v) cons(car(x), cdr(x)) x cons cons cdr car u v x • Car axiom: x,y. car(cons(x,y)) = x • Cdr axiom: x,y. cdr(cons(x,y)) = y
cons(u,v) = cons(x,y) u x cons cons u v x y • Car axiom: x,y. car(cons(x,y)) = x • Cdr axiom: x,y. cdr(cons(x,y)) = y Suppose cons(x,y) = cons(u,v) = n. Then car(n) = x and car(n) = u, which contradicts u x. Hence, our current algorithm is incomplete.
Problem: There are not enough terms in the e-graph. Solution: Whenever the term cons(u,v) exists in the e-graph, add the term car(cons(u,v)) to the e-graph. cons(u,v) = cons(x,y) u x car car cons cons u v x y
cons(u,v) = cons(x,y) v y cons cons u v x y Problem: There are not enough terms in the e-graph. Solution: Whenever the term cons(u,v) exists in the e-graph, add the term cdr(cons(u,v)) to the e-graph.
Algorithm • Add terms to the e-graph as follows: if cons(u,v) • exists, add car(cons(u,v)) and cdr(cons(u,v)) • 2. Close the graph under congruence and the car and • cdr axioms • 3. If there is a disequality t1 t2 and an equivalence • class containing both t1 and t2, return unsatisfiable. • 4. Otherwise, return satisfiable.
An e-graph G defines a partial interpretation I over the set U of equivalence classes of G. I(c) = EC(c) For f {cons, car, cdr}: I(f)() = EC(f(u)), if f() G I(f)() is undefined, otherwise Completeness • Definition: Suppose and are equivalence classes of G. • car() G iff u s.t. car(u) is a term in G. • cdr() G iff u s.t. cdr(u) is a term in G. • cons(,) G iff u,v s.t. cons(u,v) is a term in G. Definition: Suppose t G. Then EC(t) is the equivalence class containing t.
G0 = e-graph at the termination of the algorithm Gi+1 is obtained from Gi by adding terms as follows: Case I: car cdr cons u v If there are equivalence classes , of Gi such that cons(,) Gi
Case II: car car car car cdr u If there is an equivalence class of Gi such that car() Gi cdr cdr cdr car cdr u If there is an equivalence class of Gi such that cdr() Gi
Model Suppose Ik is the partial interpretation corresponding to the e-graph Gk. Then Ik+1 extends Ik for all k 0. The model is given by the infinite union Uk0Ik.
Theory of arrays • Formula := A | A Atom := t = t | t t | m = m | m m t Term := c | Select(m,t) m MemTerm := f | Update(m,t,t) c SymConst for all objects o and o’, and memories m: o = o’ Select(Update(m,o,v),o’) = v o o’ Select(Update(m,o,v),o’) = Select(m,o’) Extend congruence closure with these axioms
b = Update(a,i,v) Select(b,i) = u u v Select Update u b a i v
b = Update(a,i,e) b = Update(a’,i,e’) e e’ Update b Update a a’ i e e’ Select(b,i) = e and Select(b,i) = e’, which contradicts e e’. Hence, algorithm is incomplete.
Select Rule 1 Update a i e
Select b = Update(a,i,e) b = Update(a’,i,e’) e e’ Update b Update a a’ i e e’
x = Select(Update(a,i,e),j) i j y = Select(Update(a,i’,e’),j) i’ j x y x Select Select y Update Update a i e i’ e’ j
Select Rule 2 Select Update j a i e
Select x = Select(Update(a,i,e),j) i j y = Select(Update(a,i’,e’),j) i’ j x y x Select Select y Update Update a i e i’ e’ j
Update(a,i,e) = Update(a’,i’,e’) Select(a,j) Select(a’,j) i j i’ j Select Select Update Update a i e a’ i’ e’ j Suppose Update(a,i,e) = Update(a’,i’,e’) = n Select(n,j) = Select(a,j) since i j Select(n,j) = Select(a’,j) since i’ j Hence, we get a contradiction
Select Rule 3 Select Update j a i e
Select Update(a,i,e) = Update(a’,i’,e’) Select(a,j) Select(a’,j) i j i’ j Select Select Update Update a i e a’ i’ e’ j
Algorithm • Construct e-graph G for initial set of constraints • For each Update(a,b,c) G, add to G: (Rule 1) • - term Select(Update(a,b,c),b) • constraint Select(Update(a,b,c),b) = c • Maintain e-graph G and set of disequalities D • Iterate: • - Generate case split • Add new terms, equalities, and disequalities • to satisfy Rules 2 and 3 • - If satisfiable return else backtrack
Case I G i = j, D Case II (G Select(a,j)) Select(Update(a,i,v),j) = Select(a,j) , D i j G, D i j Select(Update(a,i,v),j) G Case split:
Case I G i = j, D Case II (G Select(Update(a,i,v),j)) Select(Update(a,i,v),j) = Select(a,j) , D i j G, D i j Update(a,i,v) G Select(a,j) G Case split:
Completeness Similar to the theory of lists