The Calculus of Computation: Decision Procedures with 9. - PowerPoint PPT Presentation

The Calculus of Computation: Decision Procedures with 9. Quantifier-free Equality and Data Structures Applications to Verification by Aaron Bradley Zohar Manna Springer 2007 9- 1 9- 2 The Theory of Equality T E Axioms of T E 1. ∀ x . x = x (reflexivity) Σ E : { = , a , b , c , . . . , f , g , h , . . . , p , q , r , . . . } 2. ∀ x , y . x = y → y = x (symmetry) uninterpreted symbols: 3. ∀ x , y , z . x = y ∧ y = z → x = z (transitivity) • constants a , b , c , . . . define = to be an equivalence relation. • functions f , g , h , . . . • predicates p , q , r , . . . Axiom schema 4. for each positive integer n and n -ary function symbol f , Example: ∀ x 1 , . . . , x n , y 1 , . . . , y n . � i x i = y i x = y ∧ f ( x ) � = f ( y ) T E -unsatisfiable → f ( x 1 , . . . , x n ) = f ( y 1 , . . . , y n ) (congruence) f ( x ) = f ( y ) ∧ x � = y T E -unsatisfiable For example, f ( f ( f ( a ))) = a ∧ f ( f ( f ( f ( f ( a ))))) = a ∧ f ( a ) � = a ∀ x , y . x = y → f ( x ) = f ( y ) T E -unsatisfiable Then x = g ( y , z ) → f ( x ) = f ( g ( y , z )) is T E -valid. 9- 3 9- 4

Axiom schema We discuss T E -formulae without predicates 5. for each positive integer n and n -ary predicate symbol p , For example, for Σ E -formula � ∀ x 1 , . . . , x n , y 1 , . . . , y n . x i = y i → F : p ( x ) ∧ q ( x , y ) ∧ q ( y , z ) → ¬ q ( x , z ) i ( p ( x 1 , . . . , x n ) ↔ p ( y 1 , . . . , y n )) (equivalence) introduce fresh constant • and fresh functions f p and f g , and transform F to Thus, x = y → ( p ( x ) ↔ p ( y )) G : f p ( x ) = • ∧ f q ( x , y ) = • ∧ f q ( y , z ) = • → f q ( x , z ) � = • . is T E -valid. 9- 5 9- 6 Equivalence and Congruence Relations: Basics Classes � equivalence � For relation R over set S , Binary relation R over set S congruence � equivalence � • is an equivalence relation if class of s ∈ S under R is The ◮ reflexive: ∀ s ∈ S . sRs ; congruence ◮ symmetric: ∀ s 1 , s 2 ∈ S . s 1 Rs 2 → s 2 Rs 1 ; = { s ′ ∈ S : sRs ′ } . def [ s ] R ◮ transitive: ∀ s 1 , s 2 , s 3 ∈ S . s 1 Rs 2 ∧ s 2 Rs 3 → s 1 Rs 3 . Example: Example: The equivalence class of 3 under ≡ 2 over Z is Define the binary relation ≡ 2 over the set Z of integers m ≡ 2 n iff ( m mod 2) = ( n mod 2) [3] ≡ 2 = { n ∈ Z : n is odd } . That is, m , n ∈ Z are related iff they are both even or both odd. ≡ 2 is an equivalence relation Partitions • is a congruence relation if in addition A partition P of S is a set of subsets of S that is � � � n ◮ total � S ′ = S ∀ s , t . s i Rt i → f ( s ) Rf ( t ) . S ′ ∈ P i =1 ◮ disjoint ∀ S 1 , S 2 ∈ P . S 1 ∩ S 2 = ∅ 9- 7 9- 8

Quotient Refinements � equivalence � Two binary relations R 1 and R 2 over set S . The quotient S / R of S by relation R is the set of R 1 is refinement of R 2 , R 1 ≺ R 2 , if congruence � equivalence � ∀ s 1 , s 2 ∈ S . s 1 R 1 s 2 → s 1 R 2 s 2 . classes congruence R 1 refines R 2 . S / R = { [ s ] R : s ∈ S } . Examples: It is a partition ◮ For S = { a , b } , R 1 : { aR 1 b } R 2 : { aR 2 b , bR 2 b } Example: The quotient Z / ≡ 2 is a partition of Z . The set of Then R 1 ≺ R 2 equivalence classes ◮ For set S , R 1 induced by the partition P 1 : {{ s } : s ∈ S } {{ n ∈ Z : n is odd } , { n ∈ Z : n is even }} P 2 : { S } R 2 induced by the partition Then R 1 ≺ R 2 . ◮ For set Z Note duality between relations and classes R 1 : { xR 1 y : x mod 2 = y mod 2 } R 2 : { xR 2 y : x mod 4 = y mod 4 } Then R 2 ≺ R 1 . 9- 9 9- 10 Congruence Closure Algorithm Closures Given binary relation R over S . Given Σ E -formula The equivalence closure R E of R is the equivalence relation s.t. ◮ R refines R E , i.e. R ≺ R E ; F : s 1 = t 1 ∧ · · · ∧ s m = t m ∧ s m +1 � = t m +1 ∧ · · · ∧ s n � = t n ◮ for all other equivalence relations R ′ s.t. R ≺ R ′ , either R ′ = R E or R E ≺ R ′ decide if F is Σ E -satisfiable. That is, R E is the “smallest” equivalence relation that “covers” R . Definition: For Σ E -formula F , Example: If S = { a , b , c , d } and R = { aRb , bRc , dRd } , then the subterm set S F of F is the set that contains precisely • aRb , bRc , dRd ∈ R E since R ⊆ R E ; the subterms of F . • aRa , bRb , cRc ∈ R E by reflexivity; • bRa , cRb ∈ R E Example: The subterm set of by symmetry; • aRc ∈ R E by transitivity; F : f ( a , b ) = a ∧ f ( f ( a , b ) , b ) � = a • cRa ∈ R E by symmetry. Hence, is R E = { aRb , bRa , aRa , bRb , bRc , cRb , cRc , aRc , cRa , dRd } . S F = { a , b , f ( a , b ) , f ( f ( a , b ) , b ) } . Similarly, the congruence closure R C of R is the “smallest” congruence relation that “covers” R . 9- 11 9- 12

The Algorithm F : s 1 = t 1 ∧ · · · ∧ s m = t m ∧ s m +1 � = t m +1 ∧ · · · ∧ s n � = t n � �� � � �� � Given Σ E -formula F generate congruence closure search for contradiction F : s 1 = t 1 ∧ · · · ∧ s m = t m ∧ s m +1 � = t m +1 ∧ · · · ∧ s n � = t n The algorithm performs the following steps: with subterm set S F , F is T E -satisfiable iff there exists a 1. Construct the congruence closure ∼ of congruence relation ∼ over S F such that ◮ for each i ∈ { 1 , . . . , m } , s i ∼ t i ; { s 1 = t 1 , . . . , s m = t m } ◮ for each i ∈ { m + 1 , . . . , n } , s i �∼ t i . over the subterm set S F . Then Such congruence relation ∼ defines T E -interpretation I : ( D I , α I ) ∼ | = s 1 = t 1 ∧ · · · ∧ s m = t m . of F . D I consists of | S F / ∼ | elements, one for each congruence class of S F under ∼ . 2. If for any i ∈ { m + 1 , . . . , n } , s i ∼ t i , return unsatisfiable. 3. Otherwise, ∼| = F , so return satisfiable. Instead of writing I | = F for this T E -interpretation, we abbreviate ∼ | = F How do we actually construct the congruence closure in Step 1? The goal of the algorithm is to construct the congruence relation of S F , or to prove that no congruence relation exists. 9- 13 9- 14 Initially, begin with the finest congruence relation ∼ 0 given by the Example: Given Σ E -formula partition F : f ( a , b ) = a ∧ f ( f ( a , b ) , b ) � = a {{ s } : s ∈ S F } . Construct initial partition by letting each member of the subterm set S F be its own class: That is, let each term of S F be its own congruence class. 1. {{ a } , { b } , { f ( a , b ) } , { f ( f ( a , b ) , b ) }} Then, for each i ∈ { 1 , . . . , m } , impose s i = t i by merging the According to the first literal f ( a , b ) = a , merge congruence classes { f ( a , b ) } { a } and [ s i ] ∼ i − 1 and [ t i ] ∼ i − 1 to form partition 2. {{ a , f ( a , b ) } , { b } , { f ( f ( a , b ) , b ) }} to form a new congruence relation ∼ i . To accomplish this According to the (congruence) axiom, merging, f ( a , b ) ∼ a , b ∼ b implies f ( f ( a , b ) , b ) ∼ f ( a , b ) , ◮ form the union of [ s i ] ∼ i − 1 and [ t i ] ∼ i − 1 resulting in the new partition ◮ propagate any new congruences that arise within this union. 3. {{ a , f ( a , b ) , f ( f ( a , b ) , b ) } , { b }} The new relation ∼ i is a congruence relation in which s i ∼ t i . This partition represents the congruence closure of S F . Now, is it the case that 4. {{ a , f ( a , b ) , f ( f ( a , b ) , b ) } , { b }} | = F ? No, as f ( f ( a , b ) , b ) ∼ a but F asserts that f ( f ( a , b ) , b ) � = a . Hence, F is T E -unsatisfiable. 9- 15 9- 16