cs156 the calculus of
play

CS156: The Calculus of A : { [ ] , , = } Computation where a - PowerPoint PPT Presentation

Arrays I: Quantifier-free Fragment of T A Signature: CS156: The Calculus of A : { [ ] , , = } Computation where a [ i ] binary function Zohar Manna read array a at index i (read( a , i )) Winter 2008


  1. Arrays I: Quantifier-free Fragment of T A Signature: CS156: The Calculus of Σ A : {· [ · ] , ·�· ⊳ ·� , = } Computation where ◮ a [ i ] binary function – Zohar Manna read array a at index i (“read( a , i )”) Winter 2008 ◮ a � i ⊳ v � ternary function – write value v to index i of array a (“write( a , i , v )”) Axioms 1. the axioms of (reflexivity), (symmetry), and (transitivity) of T E 2. ∀ a , i , j . i = j → a [ i ] = a [ j ] (array congruence) 3. ∀ a , v , i , j . i = j → a � i ⊳ v � [ j ] = v (read-over-write 1) Chapter 11: Arrays 4. ∀ a , v , i , j . i � = j → a � i ⊳ v � [ j ] = a [ j ] (read-over-write 2) Page 1 of 55 Page 2 of 55 Infinite Domain Equality in T A We add an axiom schema to T A that forbids interpretations with Note: = is only defined for array elements: finite arrays. a [ i ] = e → a � i ⊳ e � = a For each positive natural number n , the following is an axiom: not T A -valid, but n � ∀ x 1 , . . . , x n . ∃ y . y � = x i a [ i ] = e → ∀ j . a � i ⊳ e � [ j ] = a [ j ] , i =1 is T A -valid. Also a = b → a [ i ] = b [ i ] is not T A -valid: We only axiomatized a restricted congruence. T A is undecidable Quantifier-free fragment of T A is decidable Page 3 of 55 Page 4 of 55

  2. Example: Quantifier-free fragment (QFF) of T A Decision Procedure for T A Is Given quantifier-free conjunctive Σ A -formula F . a [ i ] = e 1 ∧ e 1 � = e 2 → a � i ⊳ e 2 � [ i ] � = a [ i ] To decide the T A -satisfiability of F : T A -valid? Step 1 Alternatively, is If F does not contain any write terms a � i ⊳ v � , then 1. associate array variables a with fresh function symbol f a , and a [ i ] = e 1 ∧ e 1 � = e 2 ∧ a � i ⊳ e 2 � [ i ] = a [ i ] replace read terms a [ i ] with f a ( i ); 2. decide the T E -satisfiability of the resulting formula. T A -unsatisfiable? Page 5 of 55 Page 6 of 55 Decision Procedure for T A Example Step 2 Consider Σ A -formula Select some read-over-write term a � i ⊳ v � [ j ] (note that a may itself F : i 1 = j ∧ i 1 � = i 2 ∧ a [ j ] = v 1 ∧ a � i 1 ⊳ v 1 �� i 2 ⊳ v 2 � [ j ] � = a [ j ] . be a write term) and split on two cases: 1. According to (read-over-write 1), replace F contains a write term, F [ a � i ⊳ v � [ j ]] with F 1 : F [ v ] ∧ i = j , a � i 1 ⊳ v 1 �� i 2 ⊳ v 2 � [ j ] � = a [ j ] . and recurse on F 1 . If F 1 is found to be T A -satisfiable, return According to (read-over-write 1), assume i 2 = j and recurse on satisfiable. F 1 : i 2 = j ∧ i 1 = j ∧ i 1 � = i 2 ∧ a [ j ] = v 1 ∧ v 2 � = a [ j ] . 2. According to (read-over-write 2), replace F 1 does not contain any write terms, so rewrite it to F [ a � i ⊳ v � [ j ]] with F 2 : F [ a [ j ]] ∧ i � = j , F ′ 1 : i 2 = j ∧ i 1 = j ∧ i 1 � = i 2 � ∧ f a ( j ) = v 1 ∧ v 2 � = f a ( j ) . and recurse on F 2 . If F 2 is found to be T A -satisfiable, return � �� satisfiable. Contradiction — F ′ 1 is T E -unsatisfiable. If both F 1 and F 2 are found to be T A -unsatisfiable, return unsatisfiable. Page 7 of 55 Page 8 of 55

  3. Returning, we try the second case: Decision Procedure for Arrays according to (read-over-write 2), assume i 2 � = j and recurse on The quantifier free fragment of T A is decidable . F 2 : i 2 � = j ∧ i 1 = j ∧ i 1 � = i 2 ∧ a [ j ] = v 1 ∧ a � i 1 ⊳ v 1 � [ j ] � = a [ j ] . However too weak to express important properties: ◮ Containment: ∀ i . ℓ ≤ i ≤ u = ⇒ a [ i ] � = e F 2 contains a write term. According to (read-over-write 1), ◮ Sortedness: ∀ i , j . ℓ ≤ i ≤ j ≤ u = ⇒ a [ i ] ≤ a [ j ] assume i 1 = j and recurse on ◮ Partitioning: ∀ i , j . ℓ 1 ≤ i ≤ u 1 ∧ ℓ 2 ≤ j ≤ u 2 = ⇒ a [ i ] ≤ a [ j ] F 3 : i 1 = j ∧ i 2 � = j ∧ i 1 = j ∧ i 1 � = i 2 ∧ a [ j ] = v 1 ∧ v 1 � = a [ j ] � . The general theory of arrays T A with quantifier is not decidable . � �� Contradiction. Thus, according to (read-over-write 2), Is there a decidable fragment of T A that contains the above assume i 1 � = j and recurse on formulae? F 4 : i 1 � = j ∧ i 2 � = j ∧ i 1 = j ∧ i 1 � = i 2 ∧ a [ j ] = v 1 ∧ a [ j ] � = a [ j ] � . � �� Contradiction: all branches have been tried, and thus F is T A -unsatisfiable. Question: Suppose instead that F does not contain the literal i 1 � = i 2 . Is this new formula T A -satisfiable? Page 9 of 55 Page 10 of 55 Example Arrays II: Array Property Fragment of T A We want to prove validity for a formula, such as: Decidable fragment of T A that includes ∀ quantifiers Array property ( ∀ i . a [ i ] � = e ) ∧ e � = f → ( ∀ i . a � j ⊳ f � [ i ] � = e ) . Σ A -formula of form Equivalently show unsatisfiability of ∀ i . α [ i ] → β [ i ] , where i is a list of variables. ( ∀ i . a [ i ] � = e ) ∧ e � = f ∧ ( ∃ i . a � j ⊳ f � [ i ] = e ) . ◮ index guard α [ i ]: or the equisatisfiable formula iguard → iguard ∧ iguard | iguard ∨ iguard | atom ( ∀ i . a [ i ] � = e ) ∧ e � = f ∧ a � j ⊳ f � [ i ] = e . atom → var = var | evar � = var | var � = evar | ⊤ var → evar | uvar We need to handle a universal quantifier. where uvar is any universally quantified index variable, and evar is any unquantified free variable. Page 11 of 55 Page 12 of 55

  4. Arrays II: Array Property Fragment of T A (cont) Example: Array Property Fragment ◮ value constraint β [ i ]: Is this formula in the array property fragment? Any qff, but a universally quantified index can occur only in a read a [ i ], where a is an array term. F : ∀ i . i � = a [ k ] → a [ i ] = a [ k ] The antecedent is not a legal index guard since a [ k ] is not a Array property Fragment: variable (neither a uvar nor an evar ); however, by simple Boolean combinations of quantifier-free Σ A -formulae and array manipulation properties F ′ : v = a [ k ] ∧ ∀ i . i � = v → a [ i ] = a [ k ] Note: a [ b [ k ]] for unquantified variable k is okay, but a [ b [ i ]] for universally quantified variable i is forbidden. Cannot replace it by Here, i � = v is a legal index guard, and a [ i ] = a [ k ] is a legal value constraint. F and F ′ are equisatisfiable. ∀ i , j . . . . b [ i ] = j ∧ a [ j ] . . . However, no manipulation works for: In β , the universally quantified variable j may occur in a [ j ] but not G : ∀ i . i � = a [ i ] → a [ i ] = a [ k ] . in b [ i ] = j . Thus, G is not in the array property fragment. Page 13 of 55 Page 14 of 55 Array property fragment and extensionality Decision Procedure for Array Property Fragment Array property fragment allows expressing equality between arrays Basic Idea: Replace universal quantification ∀ i . F [ i ] ( extensionality ): two arrays are equal precisely when their by finite conjunction F [ t 1 ] ∧ . . . ∧ F [ t n ]. corresponding elements are equal. We call t 1 , . . . , t n the index terms and they depend on the formula. For given formula F : · · · ∧ a = b ∧ · · · with array terms a and b , rewrite F as F ′ : · · · ∧ ( ∀ i . ⊤ → a [ i ] = b [ i ]) ∧ · · · . F and F ′ are equisatisfiable. Page 15 of 55 Page 16 of 55

Recommend


More recommend