1 / 36

Theorem Proving for FOL Satisfiability Procedures

Explore theorem proving techniques for First-Order Logic (FOL) using Professor Necula's lecture on proving algorithms. Discover how to extend the prover language to handle complex invariants and specifications. Learn about goal-directed theorem proving, including existential choices, disjunctions in goals, and clause choices in hypotheses. Understand the limitations and completeness of the prover in dealing with specific theories. Delve into a theory of linear lists, introducing predicates like 'linear' and 'rc0' to tackle complexities in proving linear lists.

dake
Download Presentation

Theorem Proving for FOL Satisfiability Procedures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Theorem Proving for FOLSatisfiability Procedures CS 294-8 Lecture 11 Prof. Necula CS 294-8 Lecture 11

  2. Review • Recall the we use the following logic: Goals: G ::= L | true | G1Æ G2 | H ) G | 8x. G Hypotheses: H ::= L | true | H1Æ H2 Literals: L ::= p(E1, …, Ek) Expressions: E ::= n | f(E1, …, Em) • This is sufficient for VCGen iff: • The invariants, preconditions and postcond. are all from H Prof. Necula CS 294-8 Lecture 11

  3. A Simple and Complete Prover • Define the following symbolic “prove” algorithm • Prove(H, G) - prove the goal “H ) G” Prove(H, true) = true Prove(H, G1Æ G2) = prove(H, G1) && prove(H, G2) Prove(H, H1) G2) = prove(H Æ H1, G2) Prove(H, 8x. G) = prove(H, G[a/x]) (a is “fresh”) Prove(H, L) = unsat(H Æ: L) • We have a simple, sound and complete prover • If we have a way to check unsatisfiability of sets of literals Prof. Necula CS 294-8 Lecture 11

  4. How Powerful is Our Prover? • With VCGen in mind we must restrict invariants to H ::= L | true | H1Æ H2 • No disjunction, implication or quantification ! • Is that bad ? • Consider the function: void insert(LIST *a, LIST * b) { LIST *t = a->next; a->next = b; b->next = t; } • And the problem is to verify that • It preserves linearity: all list cells are pointed to by at most one other list cell • Provided that b is non-NULL and not pointed to by any cell Prof. Necula CS 294-8 Lecture 11

  5. Lists and Linearity • A bit of formal notation (remember the sel/upd): • We write sel(n, a) to denote the value of “a->next” given the state of the “next” field is “n” • We write upd(n, a, b) to denote the new state of the “next” field after “a->next = b” Code is void insert(LIST *a, LIST * b) { LIST *t = a->next; a->next = b; b->next = t; } Pre is (8q. q ¹ 0 )8p1.8p2. sel(n, p1) = sel(n, p2) = q ) p1 = p2) Æ b ¹ 0 Æ8p. sel(n, p) ¹ b) Æ a ¹ 0 Post is (8q.q ¹ 0 )8p1.8p2. sel(n, p1) = sel(n, p2) = q ) p1 = p2) VC is Pre ) Post[upd(upd(n, a, b), b, sel(n, a)) / n]Not a G ! Prof. Necula CS 294-8 Lecture 11

  6. Two Solutions • So it is quite easy to want to step outside H • So what can we do? • Extend the language of H • And then extend the prover • Push the complexity of invariants into literals • And then extend the unsatisfiability procedure Prof. Necula CS 294-8 Lecture 11

  7. Goal Directed Theorem Proving (1) • Finally we extend the use of quantifiers: G ::= L | true | G1Æ G2 | H ) G | 8x. G | 9x. G H ::= L | true | H1Æ H2 | 8x. H • We have now introduced an existential choice • Both in “H )9x. G” and “8x.H ) G” • Existential choices are postponed • Introduce unification variables + unification prove(H, 9x.G) = prove(H, G[u/x] ) (u is a unif var) prove(H, u = t) = instantiate u with t if u Ï FV(t) • Still sound and complete goal directed proof search ! • Provided that unsat can handle unification variables ! Prof. Necula CS 294-8 Lecture 11

  8. Goal Directed Theorem Proving (2) • We can add disjunction (but only to goals): G ::= true | L | G1Æ G2 | H ) G | 8x. G | G1Ç G2 • Extend prover as follows: prove(H, G1Ç G2) = prove(H, G1) || prove(H, G2) • This introduces a choice point in proof search • Called a “disjunctive choice” • Backtracking is complete for this choice selection • But only in intuitionistic logic ! Prof. Necula CS 294-8 Lecture 11

  9. Goal Directed Theorem Proving (3) • Now we extend a bit the language of hypotheses • Important since this adds flexibility for invariants and specs. H ::= L | true | H1Æ H2 | G ) H • We extend the prover as follows: prove(H, (G1) H1) ) G) = prove(H, G) || (prove(H Æ H1, G) && prove(H, G1)) • This adds another choice (clause choice in Prolog) expressed here also as a disjunctive choice • Still complete with backtracking Prof. Necula CS 294-8 Lecture 11

  10. Goal Directed Theorem Proving (4) • The VC for linear lists can be proved in this logic ! • This logic is called Hereditary Harrop Formulas • But the prover is not complete in a classical sense • And thus complications might arise with certain theories • Still no way to have disjunctive hypotheses • The prover becomes incomplete even in intuitionistic logic • E.g., cannot prove even that P Ç Q ) Q Ç P • Let’s try the other method instead … Prof. Necula CS 294-8 Lecture 11

  11. A Theory of Linear Lists • Push the complexity into literals • Define new literals: linear(n) =def8q. q ¹ 0 )8p1.8p2. sel(n, p1) = sel(n, p2) = q ) p1 = p2 rc0(n, b) =defb ¹ 0 )8p. sel(n, p) ¹ b • Now the predicates become: Pre is linear(n) Æ rc0(n, b) Æ a ¹ 0Æ b ¹ 0 Post is linear(n) VC is linear(n) Æ rc0(n, b) Æ a ¹ 0 Æ b ¹ 0 ) linear(upd(upd(n, a, b), b, sel(n, a))))This is a G ! • The hard work is now in the satisfiability procedure Prof. Necula CS 294-8 Lecture 11

  12. A Theory of Linear Lists • In order to allow the prover to work with “linear” and “rc0” we must define their meaning: • Semantically (by giving the definitions from before) • Axiomatically (by giving a set of axioms that define them): • Now we can prove the VC with just three uses of these axioms • Is this set of axioms complete? Prof. Necula CS 294-8 Lecture 11

  13. Discussion • It makes sense to push hard work in literals: • Can be handled in a customized way within the Sat procedures • The hand-crafted inference rules guide the prover • The inference rules are useful lemmas • Important technique #3 • Just like in type inference, or data flow analysis : Prof. Necula CS 294-8 Lecture 11

  14. Theories • Now we turn to unsat(L1, …, Lk) • A theory consists of: • A set of function and predicate symbols (syntax) • Definitions for the meaning of these symbols (semantics) • Semantic or axiomatic definitions • Example: • Symbols: 0, 1, -1, 2, -2, …, +, -, =, < (with the usual meaning) • Theory of integers with arithmetic (Presburger arithmetic) Prof. Necula CS 294-8 Lecture 11

  15. Decision Procedures for Theories • The Decision Problem: • Decide whether a formula in a theory + FOL is true • Example: • Decide whether 8x. x > 0 ) (9 y. x = y + 1) in {N, +, =, >} • A theory is decidable when there is an algorithm that solves the decision problem for the theory • This algorithm is the decision procedure for the theory Prof. Necula CS 294-8 Lecture 11

  16. Satisfiability Procedures for Theories • The Satisfiability Problem • Decide whether a conjunction of literals in the theory is satisfiable • Factor out the FOL part of the decision problem • This is what we need to solve in our simple prover • We will explore a few useful theories and satisfiability procedures for them … Prof. Necula CS 294-8 Lecture 11

  17. Examples of Theories. Equality. • The theory of equality with uninterpreted functions • Symbols: =, ¹, f, g, … • Axiomatically defined: • Example of a satisfiability problem: • g(g(g(x)) = x Æ g(g(g(g(g(x))))) = x Æ g(x) ¹ x Prof. Necula CS 294-8 Lecture 11

  18. A Satisfiability Procedure for Equality • Definitions: • Let R be a relation on terms • The equivalence closure of R is the smallest relation that is closed under reflexivity, symmetry and transitivity • An equivalence relation • Equivalence classes • Given a term t we say that t*is its representative • Two terms t1 and t2 are equivalent iff t1* = t2* • Computable in near-linear time (union-find) • The congruence closure of a relation is the smallest relation that is closed under equivalence and congruence Prof. Necula CS 294-8 Lecture 11

  19. A Representation for Symbolic Terms • We represent terms as DAGs • Share common subexpressions • E.g. f(f(a, b), b): f f a b • Equalities are represented as dotted edges • E.g. f(f(a, b), b) = a • We consider the transitive closure of dotted edges Prof. Necula CS 294-8 Lecture 11

  20. Computing Congruence Closure • We pick arbitrary representativs for all equivalence classes (nodes connected by dotted edges) • For all nodes t = f(t1, …, tn) and s = f(s1, …, sn) • If ti* = si* for all i = 1..n (find) • We add an edge between t* and s* and pick one of them as the representative for the entire class (union) f f f f a b a b Prof. Necula CS 294-8 Lecture 11

  21. Computing Congruence Closure (Cont.) • Congruence closure is an inference procedure for the theory of equality • Always terminates because it does not add nodes • The hard part is to detect the congruent pairs or terms • There are tricks to do this in O(n log n) • We say that f(t1, …, tn) is represented in the DAG if there is a node f(s1, …, sn) such that si* = ti* Prof. Necula CS 294-8 Lecture 11

  22. Satisfiability Procedure for Equality • Given F = Æi ti = ti’ ÆÆj uj¹ uj’ • Represent all terms in the same DAG • Add dotted edges for tI = tI’ • Construct the congruence closure of those edges • Check that 8j. uj*¹ uj’* Theorem: F is satisfiable iff 8j. uj*¹ uj’* Prof. Necula CS 294-8 Lecture 11

  23. g g g g g g g g g g g g g g g g g g g g Contra- diction x x x x Example with Congruence Closure • Consider: g(g(g(x)) = x Æ g(g(g(g(g(x))))) = x Æ g(x) ¹ x Prof. Necula CS 294-8 Lecture 11

  24. Congruence Closure. Discussion. • The example from before has little to do with program verification • But equality is still very useful • The congruence closure algorithm is the basis for many unification-based satisfiability procedures • We add the additional axiom: • Or equivalently: Prof. Necula CS 294-8 Lecture 11

  25. Presburger Arithmetic • The theory of integers with +, -, =, > • The most useful in program verification after equality • And quite useful for program analysis also • Example of a satisfiability problem: y > 2x + 1 Æ y + x > 1 Æ y < 0 • Satisfiability of a system of linear inequalities • Known to be in P (with rational solutions) • Some of the algorithms are quite simple • If we add the requirement that solutions are in Z then the problem is NP-complete Prof. Necula CS 294-8 Lecture 11

  26. Difference Constraints • A special case of linear arithmetic • All constraints of the form: xi - xj· c or xi - 0 · c or 0 - xj· c • The most common form of constraint • Construct a directed graph with: • A node for 0 • A node for each variable xi • A edge from xito xj of weight c for each xi - xj· c c xj xi Prof. Necula CS 294-8 Lecture 11

  27. Difference Constraints Theorem: A set of difference constraints is satisfiable iff there is no negative weight cycle in the graph • Can be solved with Bellman-Ford in O(n2) • In practice n is typically quite small • In practice we use incremental algorithms (to account for assumptions being pushed and popped) • Algorithm is complete ! • Was used successfully in array-bounds checking elimination and induction variable discovery Prof. Necula CS 294-8 Lecture 11

  28. Extensions of Difference Constraints • Shostak extended the algorithm to ax + by · c • Construct a graph as before • One node for each variable • One undirected edge for each constraint • An admissible loop in this graph is a loop in which any two adjacent edges “ax + by · c” and “dy + ez · f” have sgn(b) ¹ sgn(d) • The residue of such adjacent edges is a constraint on x and z a|d| x + e|b| z · c|d| + f|b| • The residue for a loop is an inequality without variables Theorem: The inequalities are satisfiable iff all residues for simple loops are satisfiable Prof. Necula CS 294-8 Lecture 11

  29. How Complete are These Procedures? • Consider: 3x ¸ 2y Æ 3y ¸ 4 Æ 3 ¸ 2x ¢ 3 x y Residue is: 13.5 ¸ 8) satisfiable ¢ 2 ¢ 4.5 But only in Q, not in Z 0 • The unsat procedure is sound: unsat Q) unsat Z • But it is incomplete ! • Not a problem in practice • Or the problem goes away with tricks like this: • Transform “ax ¸ b” into “x ¸d b/a e” Prof. Necula CS 294-8 Lecture 11

  30. Arithmetic. Discussion • There are many satisfiability algorithms • Even for the general case (e.g. Simplex) • Except for difference constraints, all are incomplete in Z • But Z can be handled well with heuristics • There are no practical satisfiability procedures for (Q, £) and the satisfiability of (Z, £) is only semi-decidable Prof. Necula CS 294-8 Lecture 11

  31. f(f(x) - f(y))  f(z) x  y y + z  x 0  z y  x x = y f(x) = f(y) 0 = z f(x) - f(y) = z false Combining Satisfiability Procedures • We have developed sat. procedures for several theories • We considered each theory in part • Can we combine several sat. procedures? • Consider equality and arithmetic Prof. Necula CS 294-8 Lecture 11

  32. Combining Satisfiability Procedures • Combining satisfiability procedures is non trivial • And that was to be expected: • (Z, +) and (Q, £) are decidable, but (Z, £) is not • Equality was solved by Ackerman in 1924, arithmetic by Fourier even before, but E + A only in 1979 ! • Yet in any single verification problem we will have literals from several theories: • Equality, arithmetic, lists, … • When and how can we combine separate satisfiability procedures? Prof. Necula CS 294-8 Lecture 11

  33. Nelson-Oppen Method (1) • Represent all conjuncts in the same DAG f(f(x) - f(y))  f(z) Æ y ¸ x Æ x ¸ y + z Æ z ¸ 0 f - ¸ ¸ f f f ¸ + y x z 0 Prof. Necula CS 294-8 Lecture 11

  34. Nelson-Oppen Method (2) • Run each sat. procedure • Require it to report all contradictions (as usual) • Also require it to report all equalities between nodes f - ¸ ¸ f f f ¸ + y x z 0 Prof. Necula CS 294-8 Lecture 11

  35. Nelson-Oppen Method (3) • Broadcast all discovered equalities and re-run sat. procedures • Until no more equalities are discovered or a contradiction arises f x Contradiction - ¸ ¸ f f f ¸ + y x z 0 Prof. Necula CS 294-8 Lecture 11

  36. Puzzle: Constructive vs. Classical Proofs • Prove the following fact: • Hint: Try Prof. Necula CS 294-8 Lecture 11

More Related