Decision Procedures in First Order Logic

Decision Procedures in First Order Logic Part II – Equality Logic and Uninterpreted Functions Ofer Strichman, Technion

Part I - Introduction • Reminders - • What is Logic • Proofs by deduction • Proofs by enumeration • Decidability, Soundness and Completeness • Some notes on Propositional Logic • Deciding Propositional Logic • SAT tools • BDDs   Technion

Part II – Introduction toEquality Logic and Uninterpreted Functions • Introduction • Definition, complexity • Reducing Uninterpreted Functions to Equality Logic • Using Uninterpreted Functions in proofs • Simplifications • Introduction to the decision procedures • The framework: assumptions and Normal Forms • General terms and notions • Solving a conjunction of equalities • Simplifications Technion

Equality Logic • A Boolean combination of Equalities and Propositions x1=x2Æ (x2=x3Ç: ((x1=x3) ÆbÆx1= 2)) • We will always push negations inside (NNF): x1=x2Æ (x2=x3Ç ((x1x3) Ç:bÇx1 2)) • Note: the set of Boolean variables is always separate from the set of term variables Technion

Equality Logic: the grammar • formula : formulaÇformula | :formula | atom • atom : term-variable = term-variable | term-variable = constant | Boolean-variable term-variables are defined over some (possible infinite) domain. The constants are from the same domain. Technion

Expressiveness and complexity • Allows more natural description of systems,althoughtechnically it is as expressible as Propositional Logic. • Clearly NP-hard. • In fact, it is in NP, and hence NP-complete, for reasons we shall see later. Technion

Expressiveness and complexity • Q1: Let L1 and L2 be two logics whose satisfiability problem is decidable and in the same complexity class. Is the satisfiability problem of an L1 formula reducible to a satisfiability problem of an L2 formula? • Q2: Let L1 and L2 be two logics whose satisfiability problems are reducible to one another. Are L1 and L2 in the same complexity class ? Technion

Equality logic with uninterpreted functions • formula : formulaÇformula | :formula | atom • atom : term = term | Boolean-variable • term : term-variable | function ( list of terms ) term-variables are defined over some (possible infinite) domain. Note that constants are functions with empty list of terms. Technion

Uninterpreted Functions • Every function is a mapping from a domain to a range. • Example: the ‘+’ function over the naturals N is a mapping from <N£N> to N. Technion

Uninterpreted Functions • Now: suppose we replace ‘+’ with an uninterpreted Binary function f (h1st argi , h 2nd arg i) • For example: x1+ x2 = x3+x4 is replaced with • We lost the ‘semantics’ of ‘+’. In other words, fcanrepresent any binary function. • Loosing the semantics means that f is not restricted by any axioms. • But f is still a function! Technion

Uninterpreted Functions (UF’s) • The most general axiom for any function is functional consistency. • Example: if x = y, then f(x) = f(y) for any function f. • Functional consistency axiom scheme: x1=x1’ Æ … Æxn=xn’ !f(x1,…, xn) = f(x1’,…, xn’) • Sometimes, functional consistency is all that is needed for the proof. Technion

Example: Circuit Transformations • Circuits consist of combinationalgates and latches (registers) • The combinational gates can be modeled using functions • The latches can be modeled with variables Latch R1 I Combi- national part Technion

Example: Circuit Transformations Some bitvector Input Some function, say I >> 5 Some other function, say L1 & 100110001… Some condition on L2 Technion

Example: Circuit Transformations Stage 1 • A pipeline processes data in stages • Data is processed in parallel – as in an assembly line • Formal Model: Stage 2 Stage 3 Technion

Example: Circuit Transformations • The maximum clock frequency depends on the longest path between two latches • Note that the output of g is usedas input to k • We want to speed up the design by postponing k to the third stage • Also note that the circuit only uses one of L3 or L4, never both • We can remove one of the latches Technion

Example: Circuit Transformations ? = Technion

Example: Circuit Transformations • Equivalence in this case holds regardless of the actual functions • Conclusion: can be decided using Equality Logic and Uninterpreted Functions Technion

F( ), G( ),… f1 F2(F1(x)) = 0 f2 f2 =0 UFs  Equality Logic: Ackermann’s reduction • For each function in UF: • Number function instances (from the inside out) • Replace each function instance with a new variable • Condition UF with a functional consistency constraint for every pair of instances of thesame function. Given a formula UF with uninterpreted functions ((x=f1) f1=f2 )  (f2=0) Technion

Ackermann’s reduction : Example • Given the formula(x1x2) Ç (F(x1) =F(x2)) Ç (F(x1) F(x3))which we want to check for validity, we first number the function instances: (x1x2) Ç (F1(x1) =F2(x2)) Ç (F1(x1) F3(x3)) Technion

Ackermann’s reduction : Example (x1x2) Ç (F1(x1) =F2(x2)) Ç (F1(x1) F3(x3)) • Replace each function with a new variable, (x1x2) Ç (f1 =f2 ) Ç (f1f3 ) • Condition with Functional Consistency constraints: Technion

F( ), G( ),… F1(x1) = F2(x2) case x1=x2 : f1true :f2 f1 = UFs  Equality Logic: Bryant’s reduction Given a formula UF with UFs • For each function in UF: • Number function instances (from the inside out) • Replace a function instance Fi with an expression casex1=xi :f1 x2=xi:f2 xi-1 =xi :fi-1 true :fi Technion

Bryant’s reduction: Example • x1=x2F1(G1(x1)) =F2(G2(x2)) • Replace each function with an expression • where Technion

Using UFs in proofs • Uninterpreted functions gives us the ability to represent an abstract view of functions. • It over-approximates the concrete system. 1 + 1 = 1 is a contradiction But F(1,1) = 1 is satisfiable ! • Conclusion: unless we are careful, we can give wrong answers and this way lose soundness. Technion

Using UFs in proofs • In general a sound and incomplete method is more useful than unsound and complete. • A soundbutincomplete algorithm: • Given a formula with uninterpreted functions UF: • Transform it to Equality Logic formula E • If E is unsatisfiable return Unsatisfiable • Else return ‘Don’t know’ Technion

Using UFs in proofs • Question #1: is this useful ? • Question #2: can it be made complete in some cases ? • When the abstract view is sufficient for the proof, it enables (or simplifies) a mechanicalproof. • So when is the abstract view sufficient ? Technion

Using UFs in proofs (cont’d) • (common) Proving equivalence between: • Two versions of a hardware design (one with and one without a pipeline) • Source and target of a compiler (“Translation Validation”) • (rare) Proving properties that do not rely on the exact functionality of some of the functions. Technion

Example: Translation Validation • Assume the source program has the statementz= (x1+y1)  (x2+y2) which the compiler turned into:u1=x1+y1;u2=x2+y2;z=u1u2 ; • We need to prove that:(u1=x1+y1 u2=x2+y2  z=u1u2)z= (x1+y1)  (x2+y2) Technion

Example (cont’d) (u1=x1+y1 u2=x2+y2 z=u1u2) z= (x1+y1)  (x2+y2) (u1=F1(x1,y1) u2=F2(x2,y2) z=G1(u1,u2)) z=G2(F1(x1,y1), F2(x2,y2)) • Claim: is valid • We will prove this by reducing it to an Equality Logic formula UF: Technion

Uninterpreted Functions: usability • Good: each function on the left can be mapped to a function on the right with equivalent arguments • Bad: almost all other cases • Example: Left Right x + x 2x Technion

Uninterpreted Functions: usability • This is easy to prove: x1=y1x2=y2x1+y1=x2+y2 • This requires knowledge on commutativity: x1=y2x2=y1x1+y1=x2+y2 • easy fix: ((x1=x2y1=y2) (x1=y2x2=y1)) f1= f2 • What about other cases ?useRewriting rules Technion

These two functions return the same value regardless if it is ‘*’ or any other function. Conclusion: we can prove equivalence by replacing ‘*’ with an Uninterpreted Function Example: equivalence of C programs (1/4) Power3_new(int in) { out = (in*in)*in; return out; } Power3(int in) { out = in; for (i=0; i < 2; i++) out = out * in; return out; } Technion

But first… we need to know how to write programs as equations. We will learn one out of several options, namely Static Single Assignment for Bounded programs. Example: equivalence of C programs (1/4) Power3_new(int in) { out = (in*in)*in; return out; } Power3(int in) { out = in; for (i=0; i < 2; i++) out = out * in; return out; } Technion

From programs to equations • Static Single Assignment (SSA) form Ma ze??? Technion

In this case we can replace  with a guard: y3Ãx2 < 3 ? y1 : y2 Problem: What do we do with loops ? Static Single Assignment form Technion

SSA for bounded programs • For each loop i in a given program, let ki be a bound on its iteration count. • Unroll the program according to the bounds. • We are left with statements and conditions. Technion

: x = 0; while (x < y) { x++; z = z + y; } x = 0; z = z * 2; Let k1 = 2 … x0 = 0 guard0 = x0 < y0 x1 = guard0 ? x0 + 1:x0 z1 = guard0 ? z0 + y0:z0 guard1 = x1 < y0 x2 = guard1 ? x1 + 1: x1 z2 = guard1 ? z1 + y0: z1 x4 = 0 z3 = z2 * 2 SSA for bounded programs Technion

Example: equivalence of C programs (2/4) Power3_new(int in) { out = (in*in)*in; return out; } Power3(int in) { out = in; for (i=0; i < 2; i++) out = out * in; return out; } Static Single Assignment (SSA) form: out0 = inÆ out1 = out0 * in Æ out2 = out1 * in out’0 = (in’ * in’) * in’ Prove that both functions return the same value (out2= out’0) given that in = in’ Technion

Example: equivalence of C programs (3/4) Static Single Assignment (SSA) form: out0 = inÆ out1 = out0 * in Æ out2 = out1 * in out’0 = (in’ * in’) * in’ With Uninterpreted Functions: out’0 = F4(F3(in’ , in’) , in’) out0 = inÆ out1 = F1 (out0 , in) Æ out2 = F2 (out1 , in) Technion

Example: equivalence of C programs (4/4) With Uninterpreted Functions: out’0 = F4(F3(in’ , in’) , in’) out0 = inÆ out1 = F1 (out0 , in) Æ out2 = F2 (out1 , in) Ackermann’s reduction: Eb: out’0 = f4 Ea: out0 = inÆ out1 = f1Æ out2 = f2 The Verification Condition (“the proof obligation”) ((out0 = out1 Æin = in) !f1 = f2) Æ ((out0 = in’ Æin = in’) !f1 = f3) Æ ((out0 = f3Æin= in’) !f1 = f4) Æ ((out1 = in’ Æin= in’) !f2 = f3) Æ ((out1 = f3Æin= in’) !f2 = f4) Æ ((in’ = f3Æin’ = in’) !f3 = f4) Ea Æ Eb Æ (in=in’) Æ !out2 = out’0 Technion

Uninterpreted Functions: simplifications • Let n be the number of function instances of F() • Both reduction schemes require O(n2) comparisons • This can be the bottleneck of the verification effort • Solution: try to guess the pairing of functions • Still sound: wrong guess can only make a valid formula invalid Technion

UFs: simplifications (1) • Given thatx1 = x1’,x2 = x2’,x3 = x3’,prove² o1 = o2 o1 = (x1 + (a¢x2)) a = x3 + 5 Left f1f2 o2 = (x 1’ + (b¢x2’)) b = x3’ + 5 Right f3f4 • 4 function instances  6 comparisons Technion

UFs: simplifications (2) o1 = (x1 + (a¢x2)) a = x3 + 5 Left f1f2 o2 = (x 1’ + (b¢x2’)) b = x3’ + 5 Right f3f4 • Guess: validity of equivalence does not rely onf1=f2or onf3=f4 • Conclusion: only enforce functional consistency of pairs (Left,Right) Technion

UFs: simplifications (3) o1 = (x1 + (a¢x2)) a = x3 + 5 Left f1f2 o2 = (x 1’ + (b¢x2’)) b = x3’ + 5 Right f3f4 • Down to 4 comparisons… (from n(n-1)/2 to n2/4) • Another Guess: validity of equivalence only depends on f1 =f3and f2 =f4 • Pattern matching can be useful here ... Technion

+ + Match according to patterns (‘signatures’): in ¢ 5 in in in f1,f3 f2,f4 UFs: simplifications (4) o1 = (x1 + (a¢x2)) a = x3 + 5 Left f1f2 o2 = (x 1’ + (b¢x2’)) b = x3’ + 5 Right f3f4 • Down to 2 comparisons… Technion

UFs: simplifications (5) o1 = (x1 + (a¢x2)) a = x3 + 5 Left f1f2 o2 = (x 1’ + (b¢x2’)) b = x3’ + 5 Right f3f4 + + Propagate through intermediate variables: ¢ ¢ in in var + in in + 5 in 5 in f1,f3 Technion

F in F in in F in in Same example Static Single Assignment (SSA) form: • map F1 to F3 out0 = inÆ out1 = out0 * in Æ out2 = out1 * in out’0 = (in’ * in’) * in’ With Uninterpreted Functions: out’0 = F4(F3(in’ , in’) , in’) out0 = inÆ out1 = F1 (out0 , in) Æ out2 = F2 (out1 , in) • map F2 to F4 Technion

Same example, smaller Verification Condition With Uninterpreted Functions: out’0 = F4(F3(in’ , in’) , in’) out0 = inÆ out1 = F1 (out0 , in) Æ out2 = F2 (out1 , in) Ackermann’s reduction: Eb: out’0 = f4 Ea: out0 = inÆ out1 = f1Æ out2 = f2 The Verification Condition has shrunk: ((out0 = in’ Æin = in’) !f1 = f3) Æ ((out1 = f3Æin= in’) !f2 = f4) Æ (in=in’) ÆEa Æ Eb!out2 = out’0 Technion

now with Bryant’s reduction: With Uninterpreted Functions: out’0 = F4(F3(in’ , in’) , in’) out0 = inÆ out1 = F1 (out0 , in) Æ out2 = F2 (out1 , in) Bryant’s reduction: Eb: out’0 = case case in’=outoÆin’=in : f1 true : f3 =out1 Æ in’=in:: f2 true : f4 Ea: out0 = inÆ out1 = f1Æ out2 = f2 The Verification Condition (“the proof obligation”) Prove validity of:(EaÆEbÆin = in’) !out2 = out’0 Technion

So is Equality Logic with UFs interesting? • It is expressible enough to state something interesting. • It is semi-decidable and more efficiently solvable than richer logics, for example in which some functions are interpreted. • Models which rely on infinite-type variables are more naturally expressed in this logic in comparison with Propositional Logic. Technion

Part II – Introduction toEquality Logic and Uninterpreted Functions • Introduction • Definition, complexity • Reducing Uninterpreted Functions to Equality Logic • Using Uninterpreted Functions in proofs • Simplifications • Introduction to the decision procedures • The framework: assumptions and Normal Forms • General terms and notions • Solving a conjunction of equalities • Simplifications      Technion

Decision Procedures in First Order Logic