360 likes | 503 Views
ECI 2007: Specification and Verification of Object-Oriented Programs. Lecture 5. Arithmetic programs. In addition, integer-valued variables with affine operations. Formula := A | | A Atom := b | t = 0 | t > 0 | t 0 t Term := c | x | t + t | t – t | ct b SymBoolConst
E N D
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 5
Arithmetic programs • In addition, integer-valued variables with affine operations • Formula := A | | A Atom := b | t = 0 | t > 0 | t 0 t Term := c | x | t + t | t – t | ct b SymBoolConst x SymIntConst c {…,-1,0,1,…}
Satisfiability modulo arithmetic • A formula is a boolean combination of literals • Each literal is a positive or negative atom • Each atom is either a boolean variable or a linear constraint over integer variables
x y (a z > 0) (a x > y) y + z x b x y c z > 0 d x > y e y + z x b (a c) (a d) e
x y (a z > 0) (a x > y) y + z x b x y c z > 0 d x > y e y + z x b (a c) (a d) e Arithmetic Solver
x y (a z > 0) (a x > y) y + z x b x y c z > 0 d x > y e y + z x b (a c) (a d) e b = T, e = T Arithmetic Solver Satisfiable
x y (a z > 0) (a x > y) y + z x b x y c z > 0 d x > y e y + z x b (a c) (a d) e b = T, e = T Arithmetic Solver a = F Unsatisfiable b = T, c = T, e = T
x y (a z > 0) (a x > y) y + z x b x y c z > 0 d x > y e y + z x b (a c) (a d) e b = T, e = T Arithmetic Solver a = T Unsatisfiable b = T, d = T, e = T
Affine constraints A collection of m constraints over n variables: a11 x1 + a12 x2 + … + a1n xn + c1 0 a21 x1 + a22 x2 + … + a2n xn + c2 0 … am1 x1 + am2 x2 + … + amn xn + cm 0 a1 x1 + a2 x2 + … + an xn + c> 0 a1 x1 + a2 x2 + … + an xn + c-1 0 a1 x1 + a2 x2 + … + an xn + c 0 (-a1)x1 + (-a2)x2 + … + (-an xn) + (-c) 0 a1 x1 + a2 x2 + … + an xn + c= 0
Satisfiability problem for affine constraints A collection of m constraints over n variables: a11 x1 + a12 x2 + … + a1n xn + c1 0 a21 x1 + a22 x2 + … + a2n xn + c2 0 … am1 x1 + am2 x2 + … + amn xn + cm 0 Does there exist an assignment of x1,x2, …,xn over the integers such that each constraint is satisfied ?
Solving affine constraints • Integer linear programming • NP-complete • Approximate integers by rationals/reals • Linear programming • Polynomial time (Khachian 1978, Karmarkar 1984) • Simplex algorithm (Dantzig 63) • exponential worst-case time • polynomial behavior in practice
Simplex Algorithm for Affine Constraints
Tableau x1 x2 …xn y1 a11 a12 … a1n c1 y2 a21 a22 … a2n c2 … ym am1 am2 … amn cm Row variables Column variables Read it as: y1 = a11 x1 + a12 x2 + … + a1n xn + c1 y2 = a21 x1 + a22 x2 + … + a2n xn + c2 … ym = am1 x1 + am2 x2 + … + amn xn + cm y1 0 y2 0 … ym 0
x – y + 1 0 x + y + 3 0 -x + -4 0 x y a 1 -1 1 b 1 1 3 c -1 0 -4
c = 0 x = 0 a = 0 y = 0 b = 0
Sample point x1 x2 …xn y1 a11 a12 … a1n c1 y2 a21 a22 … a2n c2 … ym am1 am2 … amn cm x1 = 0x2 = 0…xn = 0 y1 = c1 y2 = c2 … ym = cm
A tableau is feasible if the sample point satisfies • all sign constraints. • Otherwise, drop a subset of sign constraints to • get a feasible tableau. • For each unsatisfied sign constraint: • Look for a different point satisfying the constraint • while preserving existing constraints • If such a point is found, add the constraint • Otherwise, declare unsatisfiable • Declare satisfiable
Pivot operation Exchange row i and column j: 1. Solve for xj yi = ai1 x1 + … + aij xj + … + ain xn + ci xj = (-1/aij) (ai1 x1 + … + (-1)yi + … + ain xn + ci) 2. Substitute in row k i yk = ak1 x1 + … + akj xj + … + akn xn + ck yk = (ak1 – akjai1/aij) x1 + … + (akj/aij)yi + … + (akn – akjain/aij) xn + (ck – akjci/aij)
x1 …xj …xn y1 a11 … a1j … a1n c1 … yi ai1 … aij … ain ci … ym am1 … amj … amn cm x1 …yi…xn y1 (a11 – a1jai1/aij)… (a1j/aij) … (a1n – a1jain/aij)(c1 – a1jci/aij) … xj (- ai1/aij) … (1/aij) … (- ain/aij)(-ci/aij) … ym (am1 – amjai1/aij) … (amj/aij) … (amn – amjain/aij)(cm – amjci/aij)
Observation A pivot operation preserves the solution set of any tableau.
x y a 1 -1 1 b 1 1 3 c -1 0 -4 x y a 1 -1 1 b 1 1 3 c -1 0 -4 Drop sign constraint for c Pivot a and x a b x 1/2 1/2 -2 y -1/2 1/2 -1 c -1/2 -1/2 -2 a y x 1 1 -1 b 1 2 2 c -1 -1 -3 Pivot b and y
c = 0 x = 0 a = 0 y = 0 b = 0
Manifestly maximized row variable A row variable is manifestly maximized if every non-zero entry, other than the entry in the constant column, in its row is negative and lies in a column owned by a restricted variable. m n x y 1 -1 2 0 l -1 -3 0 -1 • - l is manifestly maximized in the above tableau. • l is constrained to be at most -1. • y is not manifestly maximized in the above tableau.
Manifestly unbounded column variable A column variable is manifestly unbounded if every negative entry in its column is in a row owned by an unrestricted variable. x u l 1 -1 0 y -1 -1 1 z -1 -2 -1 m 0 1 2 • x is manifestly unbounded in the above tableau. • x can take arbitrarily large values. • u is not manifestly unbounded in the above tableau.
Observation • Given a feasible tableau T and a variable v, there • is a sequence of pivot operations on T leading to a • tableau T’ such that either • v is manifestly maximized in T’, or • 2. v is manifestly unbounded in T’
Algorithm • Create initial tableau T with only those sign constraints that are • satisfied by the sample point of T • 2. If every row variable satisfies its sign constraint, return satisfiable • 3. Pick a row k owned by variable y such that the sign constraint is • not satisfied by the sample point of T • 4. If y is manifestly maximized in T, return unsatisfiable • 5. Pick a column j such that akj is positive • 6. If every restricted row has a non-negative entry in column j, • perform Pivot(k,j). y becomes manifestly unbounded in T. • Therefore, add the sign constraint for y. Go to 2. • 7. (i, j) = ComputePivot(k) • 8. Perform Pivot(T,i,j) • 9. If the sample point of T satisfies the sign constraint for y, then • add the sign constraint for y. Go to 2. • 9. Go to 4
Observation • If a row variable y is not manifestly maximized • either there is a positive entry in some column • or there is a negative entry in a column owned by an unrestricted variable
Algorithm • Create initial tableau T with only those sign constraints that are • satisfied by the sample point of T • 2. If every row variable satisfies its sign constraint, return satisfiable • 3. Pick a row k owned by variable y such that the sign constraint is • not satisfied by the sample point of T • 4. If y is manifestly maximized in T, return unsatisfiable • 5’. Pick a column j such that akj is negative and the variable in column j • is unrestricted. • 6. If every restricted row has a non-positive entry in column j, • perform Pivot(k,j). y becomes manifestly unbounded in T. • Therefore, add the sign constraint for y. Go to 2. • 7. (i, j) = ComputePivot(k) • 8. Perform Pivot(T,i,j) • 9. If the sample point of T satisfies the sign constraint for y, then • add the sign constraint for y. Go to 2. • 9. Go to 4
Pratt’s Algorithm for Difference Constraints
Difference constraints Three different kinds of constraints: x – y c x c -y c • - very common in program verification • satisfiability procedure more efficient than • for general affine constraints • - satisfiability procedure complete for integers
Variable x Vertex x Constraint x – y c Edge from y to x with weight c Reduction to a graph problem Introduce a new variable z to denote the value 0 x - z c x c z - y c -y c - Add a new vertex s. - Add an edge with weight 0 from s to every other vertex v.
Theorem The set of constraints is satisfiable iff there is no negative cycle in the graph.
Soundness If there is a negative cycle in the graph, the set of constraints is unsatisfiable. x1 - x2 c1 x2 - x3 c2 … xn - x1 cn 0 c1 + c2 + … + cn < 0
Completeness If there is no negative cycle in the graph, the set of constraints is satisfiable.
Bellman-Ford algorithm d(s) := 0 for each vertex v s: d(v) := for each vertex: for each edge (u,v): if d(v) > d(u) + weight(u,v) d(v) := d(u) + weight(u,v) for each edge (u,v): if d(v) > d(u) + weight(u,v) Graph contains a negative-weight cycle
Completeness If there is no negative cycle in the graph, then d(v) - d(u) weight(u,v) for each edge (u,v). Model: Assign to variable x the value d(x) –d(z).