360 likes | 378 Views
Learn about a simple and complete prover algorithm for FOL satisfiability procedures. Understand the power of the prover, linearity in lists, and how to extend the language for more complex theorems. Explore disjunction, existential choices, and the theory of linear lists.
E N D
Theorem Proving for FOLSatisfiability Procedures CS 294-8 Lecture 11 Prof. Necula CS 294-8 Lecture 11
Review • Recall the we use the following logic: Goals: G ::= L | true | G1 G2 | H G | x. G Hypotheses: H ::= L | true | H1 H2 Literals: L ::= p(E1, …, Ek) Expressions: E ::= n | f(E1, …, Em) • This is sufficient for VCGen iff: • The invariants, preconditions and postcond. are all from H Prof. Necula CS 294-8 Lecture 11
A Simple and Complete Prover • Define the following symbolic “prove” algorithm • Prove(H, G) - prove the goal “H G” Prove(H, true) = true Prove(H, G1 G2) = prove(H, G1) && prove(H, G2) Prove(H, H1 G2) = prove(H H1, G2) Prove(H, x. G) = prove(H, G[a/x]) (a is “fresh”) Prove(H, L) = unsat(H L) • We have a simple, sound and complete prover • If we have a way to check unsatisfiability of sets of literals Prof. Necula CS 294-8 Lecture 11
How Powerful is Our Prover? • With VCGen in mind we must restrict invariants to H ::= L | true | H1 H2 • No disjunction, implication or quantification ! • Is that bad ? • Consider the function: void insert(LIST *a, LIST * b) { LIST *t = a->next; a->next = b; b->next = t; } • And the problem is to verify that • It preserves linearity: all list cells are pointed to by at most one other list cell • Provided that b is non-NULL and not pointed to by any cell Prof. Necula CS 294-8 Lecture 11
Lists and Linearity • A bit of formal notation (remember the sel/upd): • We write sel(n, a) to denote the value of “a->next” given the state of the “next” field is “n” • We write upd(n, a, b) to denote the new state of the “next” field after “a->next = b” Code is void insert(LIST *a, LIST * b) { LIST *t = a->next; a->next = b; b->next = t; } Pre is (q.q ¹ 0 p1.p2.sel(n, p1) = sel(n, p2) = q p1 = p2) b ¹ 0 p.sel(n, p) ¹ b a ¹ 0 Post is (q.q ¹ 0 p1.p2. sel(n, p1) = sel(n, p2) = q p1 = p2) VC is Pre Post[upd(upd(n, a, b), b, sel(n, a)) / n]Not a G ! Prof. Necula CS 294-8 Lecture 11
Two Solutions • So it is quite easy to want to step outside H • So what can we do? • Extend the language of H • And then extend the prover • Push the complexity of invariants into literals • And then extend the unsatisfiability procedure Prof. Necula CS 294-8 Lecture 11
Goal Directed Theorem Proving (1) • Finally we extend the use of quantifiers: G ::= L | true | G1 G2 | H G | x. G | x. G H ::= L | true | H1 H2 | x. H • We have now introduced an existential choice • Both in “H x. G” and “x.H G” • Existential choices are postponed • Introduce unification variables + unification prove(H, x.G) = prove(H, G[u/x] ) (u is a unif var) prove(H, u = t) = instantiate u with t if u Ï FV(t) • Still sound and complete goal directed proof search ! • Provided that unsat can handle unification variables ! Prof. Necula CS 294-8 Lecture 11
Goal Directed Theorem Proving (2) • We can add disjunction (but only to goals): G ::= true | L | G1 G2 | H G | x. G | G1 G2 • Extend prover as follows: prove(H, G1 G2) = prove(H, G1) || prove(H, G2) • This introduces a choice point in proof search • Called a “disjunctive choice” • Backtracking is complete for this choice selection • But only in intuitionistic logic ! Prof. Necula CS 294-8 Lecture 11
Goal Directed Theorem Proving (3) • Now we extend a bit the language of hypotheses • Important since this adds flexibility for invariants and specs. H ::= L | true | H1 H2 | G H • We extend the prover as follows: prove(H, (G1 H1) G) = prove(H, G) || (prove(H H1, G) && prove(H, G1)) • This adds another choice (clause choice in Prolog) expressed here also as a disjunctive choice • Still complete with backtracking Prof. Necula CS 294-8 Lecture 11
Goal Directed Theorem Proving (4) • The VC for linear lists can be proved in this logic ! • This logic is called Hereditary Harrop Formulas • But the prover is not complete in a classical sense • And thus complications might arise with certain theories • Still no way to have disjunctive hypotheses • The prover becomes incomplete even in intuitionistic logic • E.g., cannot prove even that P Q Q P • Let’s try the other method instead … Prof. Necula CS 294-8 Lecture 11
A Theory of Linear Lists • Push the complexity into literals • Define new literals: linear(n) =def q.q ¹ 0 p1.p2. sel(n, p1) = sel(n, p2) = q p1 = p2 rc0(n, b) =defb ¹ 0 p. sel(n, p) ¹ b • Now the predicates become: Pre is linear(n) rc0(n, b) a ¹ 0 b ¹ 0 Post is linear(n) VC is linear(n) rc0(n, b) a ¹ 0 b ¹ 0 linear(upd(upd(n, a, b), b, sel(n, a))))This is a G ! • The hard work is now in the satisfiability procedure Prof. Necula CS 294-8 Lecture 11
A Theory of Linear Lists • In order to allow the prover to work with “linear” and “rc0” we must define their meaning: • Semantically (by giving the definitions from before) • Axiomatically (by giving a set of axioms that define them): • Now we can prove the VC with just three uses of these axioms • Is this set of axioms complete? Prof. Necula CS 294-8 Lecture 11
Discussion • It makes sense to push hard work in literals: • Can be handled in a customized way within the Sat procedures • The hand-crafted inference rules guide the prover • The inference rules are useful lemmas • Important technique #3 • Just like in type inference, or data flow analysis : Prof. Necula CS 294-8 Lecture 11
Theories • Now we turn to unsat(L1, …, Lk) • A theory consists of: • A set of function and predicate symbols (syntax) • Definitions for the meaning of these symbols (semantics) • Semantic or axiomatic definitions • Example: • Symbols: 0, 1, -1, 2, -2, …, +, -, =, < (with the usual meaning) • Theory of integers with arithmetic (Presburger arithmetic) Prof. Necula CS 294-8 Lecture 11
Decision Procedures for Theories • The Decision Problem: • Decide whether a formula in a theory + FOL is true • Example: • Decide whether x. x > 0 (y. x = y + 1) in {N, +, =, >} • A theory is decidable when there is an algorithm that solves the decision problem for the theory • This algorithm is the decision procedure for the theory Prof. Necula CS 294-8 Lecture 11
Satisfiability Procedures for Theories • The Satisfiability Problem • Decide whether a conjunction of literals in the theory is satisfiable • Factor out the FOL part of the decision problem • This is what we need to solve in our simple prover • We will explore a few useful theories and satisfiability procedures for them … Prof. Necula CS 294-8 Lecture 11
Examples of Theories. Equality. • The theory of equality with uninterpreted functions • Symbols: =, ¹, f, g, … • Axiomatically defined: • Example of a satisfiability problem: • g(g(g(x)) = x g(g(g(g(g(x))))) = x g(x) ¹ x Prof. Necula CS 294-8 Lecture 11
A Satisfiability Procedure for Equality • Definitions: • Let R be a relation on terms • The equivalence closure of R is the smallest relation that is closed under reflexivity, symmetry and transitivity • An equivalence relation • Equivalence classes • Given a term t we say that t*is its representative • Two terms t1 and t2 are equivalent iff t1* = t2* • Computable in near-linear time (union-find) • The congruence closure of a relation is the smallest relation that is closed under equivalence and congruence Prof. Necula CS 294-8 Lecture 11
A Representation for Symbolic Terms • We represent terms as DAGs • Share common subexpressions • E.g. f(f(a, b), b): f f a b • Equalities are represented as dotted edges • E.g. f(f(a, b), b) = a • We consider the transitive closure of dotted edges Prof. Necula CS 294-8 Lecture 11
Computing Congruence Closure • We pick arbitrary representativs for all equivalence classes (nodes connected by dotted edges) • For all nodes t = f(t1, …, tn) and s = f(s1, …, sn) • If ti* = si* for all i = 1..n (find) • We add an edge between t* and s* and pick one of them as the representative for the entire class (union) f f f f a b a b Prof. Necula CS 294-8 Lecture 11
Computing Congruence Closure (Cont.) • Congruence closure is an inference procedure for the theory of equality • Always terminates because it does not add nodes • The hard part is to detect the congruent pairs or terms • There are tricks to do this in O(n log n) • We say that f(t1, …, tn) is represented in the DAG if there is a node f(s1, …, sn) such that si* = ti* Prof. Necula CS 294-8 Lecture 11
Satisfiability Procedure for Equality • Given F = i ti = ti’ j uj¹ uj’ • Represent all terms in the same DAG • Add dotted edges for tI = tI’ • Construct the congruence closure of those edges • Check that j. uj*¹ uj’* Theorem: F is satisfiable iff j. uj*¹ uj’* Prof. Necula CS 294-8 Lecture 11
g g g g g g g g g g g g g g g g g g g g Contra- diction x x x x Example with Congruence Closure • Consider: g(g(g(x)) = x g(g(g(g(g(x))))) = x g(x) ¹ x Prof. Necula CS 294-8 Lecture 11
Congruence Closure. Discussion. • The example from before has little to do with program verification • But equality is still very useful • The congruence closure algorithm is the basis for many unification-based satisfiability procedures • We add the additional axiom: • Or equivalently: Prof. Necula CS 294-8 Lecture 11
Presburger Arithmetic • The theory of integers with +, -, =, > • The most useful in program verification after equality • And quite useful for program analysis also • Example of a satisfiability problem: y > 2x + 1 y + x > 1 y < 0 • Satisfiability of a system of linear inequalities • Known to be in P (with rational solutions) • Some of the algorithms are quite simple • If we add the requirement that solutions are in Z then the problem is NP-complete Prof. Necula CS 294-8 Lecture 11
Difference Constraints • A special case of linear arithmetic • All constraints of the form: xi - xj c or xi - 0 c or 0 - xj c • The most common form of constraint • Construct a directed graph with: • A node for 0 • A node for each variable xi • A edge from xito xj of weight c for each xi - xj c c xj xi Prof. Necula CS 294-8 Lecture 11
Difference Constraints Theorem: A set of difference constraints is satisfiable iff there is no negative weight cycle in the graph • Can be solved with Bellman-Ford in O(n2) • In practice n is typically quite small • In practice we use incremental algorithms (to account for assumptions being pushed and popped) • Algorithm is complete ! • Was used successfully in array-bounds checking elimination and induction variable discovery Prof. Necula CS 294-8 Lecture 11
Extensions of Difference Constraints • Shostak extended the algorithm to ax + by c • Construct a graph as before • One node for each variable • One undirected edge for each constraint • An admissible loop in this graph is a loop in which any two adjacent edges “ax + by c” and “dy + ez f” have sgn(b) ¹ sgn(d) • The residue of such adjacent edges is a constraint on x and z a|d| x + e|b| z c|d| + f|b| • The residue for a loop is an inequality without variables Theorem: The inequalities are satisfiable iff all residues for simple loops are satisfiable Prof. Necula CS 294-8 Lecture 11
How Complete are These Procedures? • Consider: 3x 2y 3y 4 3 2x ¢ 3 x y Residue is: 13.5 8satisfiable ¢ 2 ¢ 4.5 But only in Q, not in Z 0 • The unsat procedure is sound: unsat Q unsat Z • But it is incomplete ! • Not a problem in practice • Or the problem goes away with tricks like this: • Transform “ax b” into “x b/a” Prof. Necula CS 294-8 Lecture 11
Arithmetic. Discussion • There are many satisfiability algorithms • Even for the general case (e.g. Simplex) • Except for difference constraints, all are incomplete in Z • But Z can be handled well with heuristics • There are no practical satisfiability procedures for (Q, ) and the satisfiability of (Z, ) is only semi-decidable Prof. Necula CS 294-8 Lecture 11
f(f(x) - f(y)) f(z) x y y + z x 0 z y x x = y f(x) = f(y) 0 = z f(x) - f(y) = z false Combining Satisfiability Procedures • We have developed sat. procedures for several theories • We considered each theory in part • Can we combine several sat. procedures? • Consider equality and arithmetic Prof. Necula CS 294-8 Lecture 11
Combining Satisfiability Procedures • Combining satisfiability procedures is non trivial • And that was to be expected: • (Z, +) and (Q, ) are decidable, but (Z, ) is not • Equality was solved by Ackerman in 1924, arithmetic by Fourier even before, but E + A only in 1979 ! • Yet in any single verification problem we will have literals from several theories: • Equality, arithmetic, lists, … • When and how can we combine separate satisfiability procedures? Prof. Necula CS 294-8 Lecture 11
Nelson-Oppen Method (1) • Represent all conjuncts in the same DAG f(f(x) - f(y)) f(z) y x x y + z z 0 f - f f f + y x z 0 Prof. Necula CS 294-8 Lecture 11
Nelson-Oppen Method (2) • Run each sat. procedure • Require it to report all contradictions (as usual) • Also require it to report all equalities between nodes f - f f f + y x z 0 Prof. Necula CS 294-8 Lecture 11
Nelson-Oppen Method (3) • Broadcast all discovered equalities and re-run sat. procedures • Until no more equalities are discovered or a contradiction arises f x Contradiction - f f f + y x z 0 Prof. Necula CS 294-8 Lecture 11
Puzzle: Constructive vs. Classical Proofs • Prove the following fact: • Hint: Try Prof. Necula CS 294-8 Lecture 11