automated theorem proving lecture 4. formula := a | | a atom := b | t = 0 | t < 0 | t 0 t...
Post on 20-Dec-2015
235 views
TRANSCRIPT
Automated Theorem Proving
Lecture 4
Formula := A | | A Atom := b | t = 0 | t < 0 | t 0 t Term := c | x | t + t | t – t | ct | Select(m,t)m MemTerm := f | Update(m,t,t)f Fieldb SymBoolConst x SymIntConst c {…,-1,0,1,…}
Memory axiom
for all objects o and o’, and memories m: o = o’ Select(Update(m,o,v),o’) = v o o’ Select(Update(m,o,v),o’) = Select(m,o’)
Select(f,b) = 5 Select(Update(f,a,5),a) + Select(Update(f,a,5),b) 10is unsatisfiable
{ b.f = 5 } a.f = 5 { a.f + b.f = 10 }
theory of arithmetic: 5, 10, +theory of arrays: Select, Update, f
Constraints that arise in program verification are mixed!
iff
Theories communicating via equality and variables
Introduce:variable w to represent Select(f,b)variable x to represent Select(Update(f,a,w),a)variable y to represent Select(Updatef,a,w),b)variables z and z’ to eliminate the arithmetic disequality
w = Select(f,b)x = Select(Update(f,a,w),a)y = Select(Update(f,a,w),b)z z’
Theory of arithmetic Theory of arrays
w = 5x + y = zz’ = 10
Select(f,b) = 5 Select(Update(f,a,5),a) + Select(Update(f,a,5),b) 10
x = w, y = w
z = z’
Theory of arrays
Formula := A | A Atom := t = t | t tt Term := c | Select(m,t)m MemTerm := f | Update(m,t,t)c SymConst
for all objects o and o’, and memories m: o = o’ Select(Update(m,o,v),o’) = v o o’ Select(Update(m,o,v),o’) = Select(m,o’)
Theory of Equality with Uninterpreted Functions
Formula := A | A Atom := t = t | t tt Term := c | f(t,…,t)c SymConstf Function
for all constants a and b and functions f:- a = a- a = b b = a- a = b b = c a = c- a = b f(a) = f(b)
f(f(f(f(f(a))))) = a
f(f(f(a))) = a
f(f(a)) = a
f(a) = a
f(a,b) = a
f(f(a,b),b) = b
f(a,b) = b
a = b
f(f(f(f(a)))) = a
f
a b
f
f
f
f
f
f
a
f(a,b) = a
f(f(a,b),b) = b
f(f(f(f(f(a))))) = a
f(f(f(a))) = a
f
a b
f
f
f
f
f
f
a
e-graph
Use union-find algorithm to maintain equivalence classes on terms.
Congruence closure algorithm
Decision procedure for EUF
1. Construct initial e-graph for all terms appearing in equalities and disequalities.2. Apply congruence closure ignoring disequalities.3. If there is a disequality t1 t2 and an equivalence
class containing both t1 and t2, return unsatisfiable.
4. Otherwise, return satisfiable.
Soundness
Theorem: If the algorithm returns unsatisfiable, the constraints are unsatisfiable.
Lemma: At every step of the congruence closure algorithm, each equality in the e-graph is implied by the original set of equalities.
Proof: By induction on the number of steps.
Completeness
Theorem: If the algorithm returns satisfiable, there is a model satisfying the constraints.
Model
A (finite or infinite) universe UAn interpretation I - maps each constant symbol u to an element I(u) U- maps each function symbol f to a function I(f) (UU)
Completeness
Theorem: If the algorithm returns satisfiable, there is a model satisfying the constraints.
How do we construct the model?
f
a b
ff(a,b) = a
f(f(a,b),b) = b
For any term t in the e-graph, let EC(t) be the equivalence class containing t.
U = set of equivalence classes + new element I(c) = EC(c)I(f)() = EC(f(u)), if u. f(u) is a term in the e-graphI(f)() = , otherwise
Convexity
A conjunction of facts is convex if whenever it entails a disjunction of equalities, it also entails at least one equality by itself.
If C a1 = b1 … an = bn
Then there is i [1,n] such that C ai = bi
A theory is convex if ever conjunction of facts in the theory is convex.
EUF is convex
Suppose C u1 = t1 u2 = t2 Then C u1 t1 u2 t2 is unsatisfiableThe congruence closure algorithm demonstrates thatthere is some i such that even C ui ti is unsatisfiable
Uninterpreted theory
Function symbols: f1, f2, … (each with an arity {0,1,…})Relation symbols: R1, R2, … (each with an arity {0,1,…})Special relation: equality (arity 2)Variables: x1, x2, … Boolean facts: x1 = x2, x1 x2, R(x1, x2), R(x1, x2), x. R(x,y)
A conjunction of facts is consistent iff there is a model (U,I) that satisfies each fact in the conjunction.
e.g., EUF, arrays, lists
Interpreted theory
Function symbols: f1, f2, … (each with an arity {0,1,…})Relation symbols: R1, R2, … (each with an arity {0,1,…})Special relation: equality (arity 2)Variables: x1, x2, … Boolean facts: x1 = x2, x1 x2, R(x1, x2), R(x1, x2), x. R(x,y)
A conjunction of facts is consistent iff I can be extended to the free variables of the conjunction so that each fact in the conjunction is satisfied.
Fixed model (U,I) providing an interpretation for the function and relation symbols.
e.g., arithmetic over rationals, arithmetic over integers
Communicating theories
• Suppose the only shared symbols between two theories T1 and T2 are equality and variables
• C1 is conjunction of facts in theory T1• C2 is conjunction of facts in theory T2• Suppose C1 is consistent by itself and
C2 is consistent by itself• Is C1 C2 consistent?
f(f(x) – f(y)) f(z) x y y + z x z 0
x yy + z xz 0g1 = g2 – g3
f(g1) f(z)g2 = f(x)g3 = f(y)
C1 is consistentC2 is consistent
But C1 C2 is not consistent!
C1 C2x = y
g2 = g3
g1 = z
For any conjunction C1 of facts in the theory of rationals and any conjunction C2 of facts in the theory of EUF, it suffices to communicate equalities over shared variables.
What if C1 is a conjunction of facts in the theory ofarithmetic over integers?
1 xx 2a = 1b = 2
f(x) f(a)f(x) f(b)
C1 C2
C1 x = a x = b f(x) = f(a) f(x) = f(b) = C2
The equality sharing procedure does not workbecause the theory of integers is non-convex(although the theory of rationals is convex)!
Fix: Communicate disjunctions of equalities!
1 xx 2a = 1b = 2
f(x) f(a)f(x) f(b)
x = a x = b
1 xx 2a = 1b = 2x = a
f(x) f(a)f(x) f(b)x = a
4, 2, x = b
Unsatisfiable
1 xx 2a = 1b = 2x = b
f(x) f(a)f(x) f(b)x = b
Unsatisfiable
Another Example
1 xx 2a = 1b = 2
f(x) = af(a) = bf(b) = b
x = a x = b
1 xx 2a = 1b = 2x = a
f(x) = af(a) = bf(b) = bx = a
4, 3, x = b
a = b
a = b
Unsatisfiable
1 xx 2a = 1b = 2x = b
f(x) = af(a) = bf(b) = bx = b
Unsatisfiable
a = b
a = b
The procedure returns satisfiable only when (1) C1 is consistent(2) C2 is consistent(3) C1 is convex(4) C2 is convex(5) C1 entails (x = y) iff C2 entails (x = y)
Theorem: If the procedure returns satisfiable, thenthere is a model of C1 C2.
Technical side conditions: (1) Every consistent formula in T1 has a countably infinite model(2) Every consistent formula in T2 has a countably infinite model
ProofPartition variables into equivalence classes Q1, …, Qn such that for all i [1,n], if x,y Qi then C1 entails x = y.
Lemma: For all i [1,n], if x,y Qi then C2 entails x = y.
For each i [1,n], pick representative wi Qi.
Lemma: C1 1 i < j n(wi wj) is consistent.
Lemma: C2 1 i < j n(wi wj) is consistent.
Proof continued
D1 = C1 1 i < j n(wi wj)
D2 = C2 1 i < j n(wi wj)
D1 has a countably infinite model (U1, I1)D2 has a countably infinite model (U2, I2)
Pick an isomorphism K from U1 to U2 that is consistent with variable assignments, i.e., for all x, K(I1(x)) = I2(x).
The interpretations of function and relation symbols canbe mapped easily using K.