The Calculus of Computation: Decision Procedures with 10. Combining Decision Procedures Applications to Verification by Aaron Bradley Zohar Manna Springer 2007 10- 1 10- 2 Combining Decision Procedures: Nelson-Oppen Method Combining Decision Procedures Given Σ 1 -theory T 1 Σ 2 -theory T 2 Theories T i over signatures Σ i P 1 for T 1 -satisfiability P 2 for T 2 -satisfiability (constants, functions, predicates) with corresponding decision procedures P i for T i -satisfiability. ? Goal P for ( T 1 ∪ T 2 )-satisfiability Decide satisfiability of a sentence in theory ∪ i T i . Example : How do we show that Problem : Decision procedures are domain specific. F : 1 ≤ x ∧ x ≤ 2 ∧ f ( x ) � = f (1) ∧ f ( x ) � = f (2) How do we combine them? is ( T E ∪ T Z )-unsatisfiable? 10- 3 10- 4
Nelson-Oppen Combination Method (N-O Method) Nelson-Oppen: Limitations Given formula F in theory T 1 ∪ T 2 . Σ 1 ∩ Σ 2 = ∅ 1. F must be quantifier-free. 2. Signatures Σ i of the combined theory only share =, i.e., Σ 1 -theory T 1 Σ 2 -theory T 2 stably infinite stably infinite Σ 1 ∩ Σ 2 = { = } 3. Theories must be stably infinite. P 1 for T 1 -satisfiability P 2 for T 2 -satisfiability of quantifier-free Σ 1 -formulae of quantifier-free Σ 2 -formulae Note: ◮ Algorithm can be extended to combine arbitrary number of theories T i — combine two, then combine with another, and P for ( T 1 ∪ T 2 )-satisfiability so on. of quantifier-free (Σ 1 ∪ Σ 2 )-formulae ◮ We restrict F to be conjunctive formula — otherwise convert to DNF and check each disjunct. 10- 5 10- 6 Stably Infinite Theories Example: Theory of partial orders A Σ-theory T is stably infinite iff Σ-theory T � for every quantifier-free Σ-formula F : Σ � : {� , = } if F is T -satisfiable where � is a binary predicate. then there exists some T -interpretation that satisfies F . Axioms 1. ∀ x . x � x ( � reflexivity) Example: Σ-theory T Σ : { a , b , = } 2. ∀ x , y . x � y ∧ y � x → x = y ( � antisymmetry) 3. ∀ x , y , z . x � y ∧ y � z → x � z ( � transitivity) Axiom ∀ x . x = a ∨ x = b For every T -interpretation I , | D I | ≤ 2 (at most two elements). Hence, T is not stably infinite. All the other theories mentioned so far are stably infinite. 10- 7 10- 8
We prove T � is stably infinite. Example: Consider quantifier-free conjunctive (Σ E ∪ Σ Z )-formula Consider T � -satisfiable quantifier-free Σ � -formula F . F : 1 ≤ x ∧ x ≤ 2 ∧ f ( x ) � = f (1) ∧ f ( x ) � = f (2) . Consider arbitrary satisfying T � -interpretation I : ( D I , α I ), where α I maps � to ≤ I . The signatures of T E and T Z only share =. Also, both theories are ◮ Let A be any infinite set disjoint from D I stably infinite. Hence, the NO combination of the decision procedures for T E and T Z decides the ( T E ∪ T Z )-satisfiability of F . ◮ Construct new interpretation J : ( D J , α J ) ◮ D J = D I ∪ A Intuitively, F is ( T E ∪ T Z )-unsatisfiable. ◮ α J = {� �→ ≤ J } , where for a , b ∈ D J , For the first two literals imply x = 1 ∨ x = 2 so that � a ≤ I b if a , b ∈ D I a ≤ J b def = a = b otherwise f ( x ) = f (1) ∨ f ( x ) = f (2). J is T � -interpretation satisfying F with infinite domain. Contradict last two literals. Hence, F is ( T E ∪ T Z )-unsatisfiable. Hence, T � is stably infinite. 10- 9 10- 10 N-O Overview Nelson-Oppen Method: Overview Phase 1: Variable Abstraction Consider quantifier-free conjunctive (Σ 1 ∪ Σ 2 )-formula F . ◮ Given conjunction Γ in theory T 1 ∪ T 2 . Two versions: ◮ Convert to conjunction Γ 1 ∪ Γ 2 s.t. ◮ nondeterministic — simple to present, but high complexity ◮ Γ i in theory T i ◮ deterministic — efficient ◮ Γ 1 ∪ Γ 2 satisfiable iff Γ satisfiable. Nelson-Oppen (N-O) method proceeds in two steps: Phase 2: Check ◮ Phase 1 (variable abstraction) ◮ If there is some set S of equalities and disequalities between — same for both versions the shared variables of Γ 1 and Γ 2 ◮ Phase 2 shared(Γ 1 , Γ 2 ) = free(Γ 1 ) ∩ free(Γ 2 ) nondeterministic: guess equalities/disequalities and check s.t. S ∪ Γ i are T i -satisfiable for all i , deterministic: generate equalities/disequalities by equality then Γ is satisfiable . propagation ◮ Otherwise, unsatisfiable . 10- 11 10- 12
Phase 1: Variable abstraction Generation of F 1 and F 2 Given quantifier-free conjunctive (Σ 1 ∪ Σ 2 )-formula F . For i , j ∈ { 1 , 2 } and i � = j , repeat the transformations Transform F into two quantifier-free conjunctive formulae (1) if function f ∈ Σ i and hd( t ) ∈ Σ j , Σ 1 -formula F 1 and Σ 2 -formula F 2 F [ f ( t 1 , . . . , t , . . . , t n )] ⇒ F [ f ( t 1 , . . . , w , . . . , t n )] ∧ w = t s.t. F is ( T 1 ∪ T 2 )-satisfiable iff F 1 ∧ F 2 is ( T 1 ∪ T 2 )-satisfiable F 1 and F 2 are linked via a set of shared variables. (2) if predicate p ∈ Σ i and hd( t ) ∈ Σ j , For term t , let hd( t ) be the root symbol, e.g. hd( f ( x )) = f . F [ p ( t 1 , . . . , t , . . . , t n )] ⇒ F [ p ( t 1 , . . . , w , . . . , t n )] ∧ w = t (3) if hd( s ) ∈ Σ i and hd( t ) ∈ Σ j , F [ s = t ] ⇒ F [ ⊤ ] ∧ w = s ∧ w = t (4) if hd( s ) ∈ Σ i and hd( t ) ∈ Σ j , F [ s � = t ] ⇒ F [ w 1 � = w 2 ] ∧ w 1 = s ∧ w 2 = t where w , w 1 , and w 2 are fresh variables. 10- 13 10- 14 Example: Consider (Σ E ∪ Σ Z )-formula Example: Consider (Σ E ∪ Σ Z )-formula F : 1 ≤ x ∧ x ≤ 2 ∧ f ( x ) � = f (1) ∧ f ( x ) � = f (2) . F : f ( x ) = x + y ∧ x ≤ y + z ∧ x + z ≤ y ∧ y = 1 ∧ f ( x ) � = f (2) . According to transformation 1, since f ∈ Σ E and 1 ∈ Σ Z , replace In the first literal, hd( f ( x )) = f ∈ Σ E and hd( x + y ) = + ∈ Σ Z ; f (1) by f ( w 1 ) and add w 1 = 1. Similarly, replace f (2) by f ( w 2 ) thus, by (3), replace the literal with and add w 2 = 2. Now, the literals w 1 = f ( x ) ∧ w 1 = x + y . In the final literal, f ∈ Σ E but 2 ∈ Σ Z , so by (1), replace it with Γ Z : { 1 ≤ x , x ≤ 2 , w 1 = 1 , w 2 = 2 } f ( x ) � = f ( w 2 ) ∧ w 2 = 2 . are T Z -literals, while the literals Now, separating the literals results in two formulae: Γ E : { f ( x ) � = f ( w 1 ) , f ( x ) � = f ( w 2 ) } are T E -literals. Hence, construct the Σ Z -formula F 1 : w 1 = x + y ∧ x ≤ y + z ∧ x + z ≤ y ∧ y = 1 ∧ w 2 = 2 F 1 : 1 ≤ x ∧ x ≤ 2 ∧ w 1 = 1 ∧ w 2 = 2 is a Σ Z -formula, and F 2 : w 1 = f ( x ) ∧ f ( x ) � = f ( w 2 ) and the Σ E -formula is a Σ E -formula. F 2 : f ( x ) � = f ( w 1 ) ∧ f ( x ) � = f ( w 2 ) . The conjunction F 1 ∧ F 2 is ( T E ∪ T Z )-equisatisfiable to F . F 1 and F 2 share the variables { x , w 1 , w 2 } . F 1 ∧ F 2 is ( T E ∪ T Z )-equisatisfiable to F . 10- 15 10- 16
Nondeterministic Version Example: Consider (Σ E ∪ Σ Z )-formula F : 1 ≤ x ∧ x ≤ 2 ∧ f ( x ) � = f (1) ∧ f ( x ) � = f (2) Phase 2: Guess and Check Phase 1 separates this formula into the Σ Z -formula ◮ Phase 1 separated (Σ 1 ∪ Σ 2 )-formula F into two formulae: F 1 : 1 ≤ x ∧ x ≤ 2 ∧ w 1 = 1 ∧ w 2 = 2 Σ 1 -formula F 1 and Σ 2 -formula F 2 and the Σ E -formula ◮ F 1 and F 2 are linked by a set of shared variables: F 2 : f ( x ) � = f ( w 1 ) ∧ f ( x ) � = f ( w 2 ) V = shared( F 1 , F 2 ) = free( F 1 ) ∩ free( F 2 ) with V = shared( F 1 , F 2 ) = { x , w 1 , w 2 } ◮ Let E be an equivalence relation over V . There are 5 equivalence relations to consider, which we list by ◮ The arrangement α ( V , E ) of V induced by E is: stating the partitions: � � u = v ∧ u � = v α ( V , E ) : u , v ∈ V . uEv u , v ∈ V . ¬ ( uEv ) Then, the original formula F is ( T 1 ∪ T 2 )-satisfiable iff there exists an equivalence relation E of V s.t. (1) F 1 ∧ α ( V , E ) is T 1 -satisfiable, and (2) F 2 ∧ α ( V , E ) is T 2 -satisfiable. Otherwise, F is ( T 1 ∪ T 2 )-unsatisfiable. 10- 17 10- 18 1. {{ x , w 1 , w 2 }} , i.e. , x = w 1 = w 2 : Example: Consider the (Σ cons ∪ Σ Z )-formula x = w 1 and f ( x ) � = f ( w 1 ) ⇒ F 2 ∧ α ( V , E ) is T E -unsatisfiable. F : car( x ) + car( y ) = z ∧ cons( x , z ) � = cons( y , z ) . 2. {{ x , w 1 } , { w 2 }} , i.e. , x = w 1 , x � = w 2 : x = w 1 and f ( x ) � = f ( w 1 ) ⇒ F 2 ∧ α ( V , E ) is T E -unsatisfiable. After two applications of (1), Phase 1 separates F into the 3. {{ x , w 2 } , { w 1 }} , i.e. , x = w 2 , x � = w 1 : Σ cons -formula x = w 2 and f ( x ) � = f ( w 2 ) ⇒ F 2 ∧ α ( V , E ) is T E -unsatisfiable. F 1 : w 1 = car( x ) ∧ w 2 = car( y ) ∧ cons( x , z ) � = cons( y , z ) 4. {{ x } , { w 1 , w 2 }} , i.e. , x � = w 1 , w 1 = w 2 : and the Σ Z -formula w 1 = w 2 and w 1 = 1 ∧ w 2 = 2 F 2 : w 1 + w 2 = z , ⇒ F 1 ∧ α ( V , E ) is T Z -unsatisfiable. with 5. {{ x } , { w 1 } , { w 2 }} , i.e. , x � = w 1 , x � = w 2 , w 1 � = w 2 : V = shared( F 1 , F 2 ) = { z , w 1 , w 2 } . x � = w 1 ∧ x � = w 2 and x = w 1 = 1 ∨ x = w 2 = 2 Consider the equivalence relation E given by the partition (since 1 ≤ x ≤ 2 implies that x = 1 ∨ x = 2 in T Z ) {{ z } , { w 1 } , { w 2 }} . ⇒ F 1 ∧ α ( V , E ) is T Z -unsatisfiable. The arrangement Hence, F is ( T E ∪ T Z )-unsatisfiable. α ( V , E ) : z � = w 1 ∧ z � = w 2 ∧ w 1 � = w 2 satisfies both F 1 and F 2 : F 1 ∧ α ( V , E ) is T cons -satisfiable, and F 2 ∧ α ( V , E ) is T Z -satisfiable. Hence, F is ( T cons ∪ T Z )-satisfiable. 10- 19 10- 20
Recommend
More recommend
![CS156: The Calculus of F [ x 1 , . . . , x n ] or x 1 , . . . , x n . F [ x 1 , . . . , x n ]](https://c.sambuz.com/1006519/cs156-the-calculus-of-s.jpg)
