Decision Procedures for Verification Decision Procedures (3) - PowerPoint PPT Presentation

Decision Procedures for Verification Decision Procedures (3) 12.01.2017 Viorica Sofronie-Stokkermans sofronie@uni-koblenz.de 1

Until now: Decision Procedures • Uninterpreted functions congruence closure 2

DAG Representation/Congruence Closure Task: Check if ( s 1 ( c ) ≈ t 1 ( c ) ∧ · · · ∧ s k ( c ) ≈ t k ( c ) ∧ s ( c ) �≈ t ( c )) unsatisfiable. Solution [Downey-Sethi, Tarjan’76; Nelson-Oppen’80] - represent the terms occurring in the problem as DAG’s - represent premise equalities by a relation on the vertices of the DAG Example: Check whether f ( f ( a , b ), b ) ≈ a is a consequence of f ( a , b ) ≈ a . v 1 v 1 : f ( f ( a , b ), b ) f v 2 : f ( a , b ) v v 3 : a 2 f v 4 : b v a b v R : { ( v 2 , v 3 ) } 3 4 - compute the “congruence closure” R c of R - check whether ( v 1 , v 3 ) ∈ R c 3

Computing the congruence closure of a DAG Example • DAG structures: v 1 - G = ( V , E ) directed graph f - Labelling on vertices v 2 f λ ( v ): label of vertex v δ ( v ): outdegree of vertex v v a b v 3 4 - Edges leaving the vertex v are ordered ( v [ i ]: denotes i -th successor of v ) λ ( v 1 ) = λ ( v 2 ) = f λ ( v 3 ) = a , λ ( v 4 ) = b δ ( v 1 ) = δ ( v 2 ) = 2 δ ( v 3 ) = δ ( v 4 ) = 0 v 1 [1] = v 2 , v 2 [2] = v 4 ... 4

Congruence closure of a DAG/Relation Given: G = ( V , E ) DAG + labelling R ⊆ V × V The congruence closure of R is the smallest relation R c on V which is: • reflexive • symmetric • transitive • congruence: v 1 If λ ( u ) = λ ( v ) and δ ( u ) = δ ( v ) v 2 f f and for all 1 ≤ i ≤ δ ( u ): ( u [ i ], v [ i ]) ∈ R c v then ( u , v ) ∈ R c . 2 f v a b v 3 4 v a b v 3 4 5

Congruence closure of a relation Recursive definition ( u , v ) ∈ R ( u , v ) ∈ R c ( u , v ) ∈ R c ( u , v ) ∈ R c ( v , w ) ∈ R c ( v , v ) ∈ R c ( v , u ) ∈ R c ( u , w ) ∈ R c λ ( u ) = λ ( v ) u , v have n successors and ( u [ i ], v [ i ]) ∈ R c for all 1 ≤ i ≤ n ( u , v ) ∈ R c • The congruence closure of R is the smallest set closed under these rules 6

Congruence closure and UIF Assume that we have an algorithm A for computing the congruence closure of a graph G and a set R of pairs of vertices • Use A for checking whether � n i =1 s i ≈ t i ∧ � m j =1 s ′ j �≈ t ′ j is satisfiable. (1) Construct graph corresponding to the terms occurring in s i , t i , s ′ j , t ′ j Let v t be the vertex corresponding to term t (2) Let R = { ( v s i , v t i ) | i ∈ { 1, . . . , n }} (3) Compute R c . j ) �∈ R c for all 1 ≤ j ≤ m , otherwise “Unsat” (4) Output “Sat” if ( v s ′ j , v t ′ Theorem 3.3.3 (Correctness) � n i =1 s i ≈ t i ∧ � m j ] R c � =[ v t ′ j =1 s ′ j �≈ t ′ j ] R c for all 1 ≤ j ≤ m . j is satisfiable iff [ v s ′ 7

Congruence closure and UIF Theorem 3.3.3 (Correctness) � n i =1 s i ≈ t i ∧ � m j =1 s ′ j �≈ t ′ j ] R c � =[ v t ′ j ] R c for all 1 ≤ j ≤ m . j is satisfiable iff [ v s ′ Proof ( ⇒ ) = � n i =1 s i ≈ t i ∧ � m Assume A is a Σ-structure such that A | j =1 s ′ j �≈ t ′ j . We can show that [ v s ] R c = [ v t ] R c implies that A | = s = t (Exercise). (We use the fact that if [ v s ] R c = [ v t ] R c then there is a derivation for ( v s , v t ) ∈ R c in the calculus defined before; use induction on length of derivation to show that A | = s = t .) j ] R c � =[ v t ′ As A | = s ′ j �≈ t ′ j ] R c for all 1 ≤ j ≤ m . j , it follows that [ v s ′ 8

Congruence closure and UIF Theorem 3.3.3 (Correctness) � n i =1 s i ≈ t i ∧ � m j ] R c � =[ v t ′ j =1 s ′ j �≈ t ′ j is satisfiable iff [ v s ′ j ] R c for all 1 ≤ j ≤ m . Proof ( ⇐ ) Assume that [ v s ′ j ] R c � = [ v t ′ j ] R c for all 1 ≤ j ≤ m . We construct a structure that satisfies � n i =1 s i ≈ t i ∧ � m j =1 s ′ j �≈ t ′ j • Universe is quotient of V w.r.t. R c plus new element 0. • c constant �→ c A = [ v c ] R c .  if v f ( t 1 , ... , t n ) ∈ V , [ v f ( t 1 , ... , t n ) ] R c    • f / n �→ f A ([ v 1 ] R c , . . . , [ v n ] R c ) = [ v t i ] R c = [ v i ] R c for 1 ≤ i ≤ n   0 otherwise  well-defined because R c is a congruence. • It holds that A | = s ′ j �≈ t ′ j and A | = s i ≈ t i 9

Computing the congruence closure of a DAG Given: G = ( V , E ) DAG + labelling R ⊆ V × V Compute R c (the congruence closure of R ) Task: Example: f ( a , b ) ≈ a → f ( f ( a , b ), b ) ≈ a v 1 f Idea: R = { ( v 2 , v 3 ) } - Start with the identity relation R c = Id v 2 f - Successively add new pairs of nodes to R c ; close relation under congruence. v a b v 3 4 Task: Compute R c 10

Computing the congruence closure of a DAG Given: G = ( V , E ) DAG + labelling R ⊆ V × V ; ( v , v ′ ) ∈ V 2 Check whether ( v , v ′ ) ∈ R c Task: Example: f ( a , b ) ≈ a → f ( f ( a , b ), b ) ≈ a v 1 f Idea: R = { ( v 2 , v 3 ) } - Start with the identity relation R c = Id v 2 f - Successively add new pairs of nodes to R c ; close relation under congruence. v a b v 3 4 Task: Decide whether ( v 1 , v 3 ) ∈ R c 11

Computing the congruence closure of a DAG Given: G = ( V , E ) DAG + labelling R ⊆ V × V Compute R c (the congruence closure of R ) Task: Idea: Recursively construct relations closed under congruence R i (approximating R c ) by identifying congruent vertices u , v and computing R i +1 := congruence closure of R i ∪ { ( u , v ) } . Representation: - Congruence relation �→ corresponding partition 12

Computing the congruence closure of a DAG Given: G = ( V , E ) DAG + labelling R ⊆ V × V Compute R c (the congruence closure of R ) Task: Idea: Recursively construct relations closed under congruence R i (approximating R c ) by identifying congruent vertices u , v and computing R i +1 := congruence closure of R i ∪ { ( u , v ) } . Representation: - Congruence relation �→ corresponding partition - Use procedures which operate on the partition: u FIND( u ): unique name of equivalence class of u t v UNION( u , v ) combines equivalence classes of u , v Find(t) finds repr. t u , t v of equiv.cl. of u , v ; sets FIND( u ) to t 13

Computing the congruence closure of a DAG MERGE( u , v ) Input: G = ( V , E ) DAG + labelling R relation on V closed under congruence g u , v ∈ V Output: the congruence closure of R ∪ { ( u , v ) } If FIND( u ) = FIND( v ) [same canonical representative] then Return If FIND( u ) � = FIND( v ) then [merge u , v ; recursively-predecessors] P u := set of all predecessors of vertices w with FIND( w ) = FIND( u ) u P v := set of all predecessors of vertices w with FIND( w ) = FIND( v ) Call UNION( u , v ) [merge congruence classes] v For all ( x , y ) ∈ P u × P v do : [merge congruent predecessors] if FIND( x ) � = FIND( y ) and CONGRUENT( x , y ) then MERGE( x , y ) CONGRUENT( x , y ) if λ ( x ) � = λ ( y ) then Return FALSE For 1 ≤ i ≤ δ ( x ) if FIND( x [ i ]) � = FIND( y [ i ]) then Return FALSE Return TRUE. 14

Correctness Proof: (1) Returned equivalence relation is not too coarse If x , y merged then ( x , y ) ∈ ( R ∪ { ( u , v ) } ) c (UNION only on initial pair and on congruent pairs) (2) Returned equivalence relation is not too fine If x , y vertices s.t. ( x , y ) ∈ ( R ∪ { ( u , v ) } ) c then they are merged by the algorithm. Induction of length of derivation of ( x , y ) from ( R ∪ { ( u , v ) } ) c (1) ( x , y ) ∈ R OK (they are merged) (2) ( x , y ) �∈ R . The only non-trivial case is the following: λ ( x ) = λ ( y ), x , y have n successors x i , y i where ( x i , y i ) ∈ ( R ∪ { ( u , v ) } ) c for all 1 ≤ i ≤ b . Induction hypothesis: ( x i , y i ) are merged at some point (become equal during some call of UNION( a , b ), made in some MERGE( a , b )) Successor of x equivalent to a (or b ) before this call of UNION; same for y . ⇒ MERGE must merge x and y 15

Computing the Congruence Closure Let G = ( V , E ) graph and R ⊆ V × V CC ( G , R ) computes the R c : (1) R 0 := ∅ ; i := 1 (2) while R contains ”fresh” elements do: pick ”fresh” element ( u , v ) ∈ R R i := MERGE(u, v) for G and R i − 1 ; i := i + 1. Complexity: O ( n 2 ) Downey-Sethi-Tarjan congruence closure algorithm: more sophisticated version of MERGE (complexity O ( n · logn )) Reference: G. Nelson and D.C. Oppen. Fast decision procedures based on congruence closure. Journal of the ACM, 27(2):356-364, 1980. 16

Decision procedure for the QF theory of equality Signature: Σ (function symbols) Problem: Test satisfiability of the formula = s 1 ≈ t 1 ∧ · · · ∧ s n ≈ t n ∧ s ′ 1 �≈ t ′ 1 ∧ · · · ∧ s ′ m �≈ t ′ F m Solution: Let S F be the set of all subterms occurring in F 1. Construct the DAG for S F ; R 0 = Id 2. [Build R n the congruence closure of { ( v ( s 1 ), v ( t 1 )), . . . , ( v ( s n ), v ( t n )) } ] For i ∈ { 1, . . . , n } do R i := MERGE( v si , v ti ) w.r.t. R i − 1 3. If FIND( v s ′ j ) = FIND( v t ′ j ) for some j ∈ { 1, . . . , m } then return unsatisfiable 4. else [if FIND( v s ′ j ) � = FIND( v t ′ j ) for all j ∈ { 1, . . . , m } ] then return satisfiable 17