Ofer Strichman, Technion 1 Decision Procedures in First Order Logic Part II – Equality Logic and Uninterpreted Functions

Ofer Strichman, Technion 1

Decision Procedures in First Order Logic

Part II – Equality Logic and Uninterpreted Functions

Technion 2

Part I - Introduction Reminders -

What is Logic Proofs by deduction Proofs by enumeration Decidability, Soundness and Completeness Some notes on Propositional Logic

Deciding Propositional Logic SAT tools BDDs

Technion 3

Part II – Introduction to Equality Logic and Uninterpreted Functions

Introduction Definition, complexity Reducing Uninterpreted Functions to Equality Logic Using Uninterpreted Functions in proofs Simplifications

Introduction to the decision procedures The framework: assumptions and Normal Forms General terms and notions Solving a conjunction of equalities Simplifications

Technion 4

Equality Logic

A Boolean combination of Equalities and Propositionsx1=x2 Æ (x2 = x3 Ç : ((x1 = x3) Æ b Æ x1 = 2))

We will always push negations inside (NNF):x1=x2 Æ (x2 = x3 Ç ((x1 x3) Ç :b Ç x1 2))

Note: the set of Boolean variables is always separate from the set of term variables

Technion 5

Equality Logic: the grammar

formula : formula Ç formula | : formula | atom

atom : term-variable = term-variable | term-variable = constant | Boolean-variable

term-variables are defined over some (possible infinite) domain.The constants are from the same domain.

Technion 6

Expressiveness and complexity

Allows more natural description of systems, although technically it is as expressible as Propositional Logic.

Clearly NP-hard. In fact, it is in NP, and hence NP-complete, for

reasons we shall see later.

Technion 7

Expressiveness and complexity

Q1: Let L1 and L2 be two logics whose satisfiability problem is decidable and in the same complexity class. Is the satisfiability problem of an L1 formula reducible to a satisfiability problem of an L2 formula?

Q2: Let L1 and L2 be two logics whose satisfiability problems are reducible to one another. Are L1 and L2 in the same complexity class ?

Technion 8

Equality logic with uninterpreted functions

formula : formula Ç formula | : formula | atom

atom : term = term | Boolean-variable

term : term-variable| function ( list of terms )

term-variables are defined over some (possible infinite) domain.Note that constants are functions with empty list of terms.

Technion 9

Uninterpreted Functions

Every function is a mapping from a domain to a range.

Example: the ‘+’ function over the naturals N is a mapping from <N £ N> to N.

Technion 10


Now: suppose we replace ‘+’ with an uninterpreted Binary function f (h1st argi , h 2nd arg i)

For example: x1 + x2 = x3+x4 is replaced with

We lost the ‘semantics’ of ‘+’. In other words, f can

represent any binary function. Loosing the semantics means that f is not restricted

by any axioms. But f is still a function!

Technion 11

Uninterpreted Functions (UF’s)

The most general axiom for any function is functional consistency.

Example: if x = y, then f(x) = f(y) for any function f. Functional consistency axiom scheme:

x1=x1’ Æ … Æ xn=xn’ ! f(x1,…, xn) = f(x1’,…, xn’)

Sometimes, functional consistency is all that is needed for the proof.

Technion 12

Example: Circuit Transformations

Circuits consist of combinationalgates and latches (registers)

The combinational gates can be modeled using functions

The latches can be modeled with variables

R1R1

I

Latch

Combi- national part

Technion 13


Some function, say I >> 5

Some other function, say L1 & 100110001…

Some bitvector Input

Some condition on L2

Technion 14


A pipeline processes data in stages Data is processed in parallel – as in an

assembly line Formal Model:

Stage 1Stage 1

Stage 3Stage 3

Stage 2Stage 2

Technion 15


The maximum clock frequency depends on the longest path between two latches

Note that the output of g is usedas input to k

We want to speed up the design by postponing k to the third stage

Also note that the circuit only uses one of L3 or L4, never both

We can remove one of the latches

Technion 16


==??

Technion 17


Equivalence in this case holds regardless of the actual functions Conclusion: can be decided using Equality Logic and


Technion 18

For each function in UF: Number function instances

(from the inside out)

Replace each function instance with a new variable

Condition UF with a functional consistency constraint for every pair of instances of thesame function.

UFs Equality Logic: Ackermann’s reduction

F2(F1(x)) = 0

f2 = 0

F( ), G( ),…

((x = f1) f1 = f2 ) f2=0)

Given a formula UF with uninterpreted functions

f1

f2

Technion 19

Ackermann’s reduction : Example

Given the formula

(x1 x2) Ç (F(x1) = F(x2)) Ç (F(x1) F(x3))

which we want to check for validity, we first number the function instances:

(x1 x2) Ç (F1(x1) = F2(x2)) Ç (F1(x1) F3(x3))

Technion 20

Ackermann’s reduction : Example

(x1 x2) Ç (F1(x1) = F2(x2)) Ç (F1(x1) F3(x3))

Replace each function with a new variable,

(x1 x2) Ç (f1 = f2 ) Ç (f1 f3 )

Condition with Functional Consistency constraints:

Technion 21

Given a formula UF with UFs For each function in UF:

Number function instances (from the inside out)

Replace a function instance Fi with an expression

case x1 = xi :f1

x2 = xi : f2

xi-1 =xi :fi-1

true :fi

UFs Equality Logic: Bryant’s reduction

F1(x1) = F2(x2)

F( ), G( ),…

case x1 = x2 : f1

true :f2

f1 =

Technion 22

Bryant’s reduction: Example

x1 = x2 F1(G1(x1)) = F2(G2(x2))

Replace each function with an expression where

Technion 23

Using UFs in proofs

Uninterpreted functions gives us the ability to represent an abstract view of functions.

It over-approximates the concrete system.

1 + 1 = 1 is a contradiction

But

F (1,1) = 1 is satisfiable !

Conclusion: unless we are careful, we can give wrong answers and this way lose soundness.

Technion 24

Using UFs in proofs

In general a sound and incomplete method is more useful than unsound and complete.

A sound but incomplete algorithm:

Given a formula with uninterpreted functions UF:

Transform it to Equality Logic formula E

If E is unsatisfiable return Unsatisfiable Else return ‘Don’t know’

Technion 25

Using UFs in proofs

Question #1: is this useful ? Question #2: can it be made complete in some cases ?

When the abstract view is sufficient for the proof, it enables (or simplifies) a mechanical proof.

So when is the abstract view sufficient ?

Technion 26

Using UFs in proofs (cont’d)

(common) Proving equivalence between: Two versions of a hardware design (one with and one

without a pipeline) Source and target of a compiler (“Translation Validation”)

(rare) Proving properties that do not rely on the exact functionality of some of the functions.

Technion 27

Example: Translation Validation

Assume the source program has the statementz = (x1 + y1) (x2 + y2)

which the compiler turned into:u1 = x1 + y1;u2 = x2 + y2; z = u1 u2 ;

We need to prove that:(u1 = x1 + y1 u2 = x2 + y2 z = u1 u2) z = (x1 + y1) (x2 + y2)

Technion 28

Example (cont’d)

(u1 = x1 + y1 u2 = x2 + y2 z = u1 u2) z = (x1 + y1) (x2 + y2)

(u1 = F1(x1,y1) u2 = F2(x2,y2) z = G1 (u1,u2)) z = G2(F1(x1,y1), F2(x2,y2))

Claim: is valid We will prove this by reducing it to an Equality Logic

formula

UF:

Technion 29

Uninterpreted Functions: usability

Good: each function on the left can be mapped to a function on the right with equivalent arguments

Bad: almost all other cases Example:

Left Right

x + x 2x

Technion 30

Uninterpreted Functions: usability

This is easy to prove:x1 = y1 x2 = y2 x1 + y1 = x2 + y2

This requires knowledge on commutativity:x1 = y2 x2 = y1 x1 + y1 = x2 + y2

easy fix:((x1 = x2 y1 = y2) (x1 = y2 x2 = y1)) f1 = f2

What about other cases ? use Rewriting rules

Technion 31

Example: equivalence of C programs (1/4)

These two functions return the same value regardless if it is

‘*’ or any other function. Conclusion: we can prove equivalence by replacing ‘*’ with

an Uninterpreted Function

Power3(int in) {out = in;for (i=0; i < 2; i++)

out = out * in;return out;

}

Power3_new(int in) {out = (in*in)*in;return out;

}

Technion 32


But first… we need to know how to write programs as

equations. We will learn one out of several options, namely

Static Single Assignment for Bounded programs.



}


}

Technion 33

From programs to equations

Static Single Assignment (SSA) form

Ma ze???

Technion 34

Static Single Assignment form

In this case we can replace with a guard: y3 Ã x2 < 3 ? y1 : y2

Problem: What do we do with loops ?

Technion 35

SSA for bounded programs

For each loop i in a given program, let ki be a bound on its iteration count.

Unroll the program according to the bounds. We are left with statements and conditions.

Technion 36

SSA for bounded programs

:

x = 0;

while (x < y) {

x++;

z = z + y;

}

x = 0;

z = z * 2;

Let k1 = 2 … x0 = 0

guard0 = x0 < y0

x1 = guard0 ? x0 + 1:x0

z1 = guard0 ? z0 + y0:z0

guard1 = x1 < y0

x2 = guard1 ? x1 + 1: x1

z2 = guard1 ? z1 + y0: z1

x4 = 0

z3 = z2 * 2

Technion 37




}


}

out0 = in Æout1 = out0 * in Æout2 = out1 * in

out’0 = (in’ * in’) * in’

Prove that both functions return the same value (out2 = out’0) given that in = in’

Static Single Assignment (SSA) form:

Technion 38



out’0 = (in’ * in’) * in’

With Uninterpreted Functions:

out0 = in Æout1 = F1 (out0 , in) Æ

out2 = F2 (out1 , in)

out’0 = F4(F3(in’ , in’) , in’)


Technion 39

Example: equivalence of C programs (4/4)With Uninterpreted Functions:



out’0 = F4(F3(in’ , in’) , in’)

Ea : out0 = in Æ

out1 = f1 Æout2 = f2

Eb: out’0 = f4

Ackermann’s reduction:

The Verification Condition (“the proof obligation”)

((out0 = out1 Æ in = in) ! f1 = f2) Æ ((out0 = in’ Æ in = in’) ! f1 = f3) Æ ((out0 = f3 Æ in= in’) ! f1 = f4) Æ ((out1 = in’ Æ in= in’) ! f2 = f3) Æ ((out1 = f3 Æ in= in’) ! f2 = f4) Æ ((in’ = f3 Æ in’ = in’) ! f3 = f4)

Æ (in=in’) Æ

Ea Æ E

b ! out2 = out’0

Technion 40

Uninterpreted Functions: simplifications

Let n be the number of function instances of F() Both reduction schemes require O(n2) comparisons This can be the bottleneck of the verification effort

Solution: try to guess the pairing of functions Still sound: wrong guess can only make a valid formula

invalid

Technion 41

UFs: simplifications (1)

Given that x1 = x1’, x2 = x2’, x3 = x3’, prove ² o1 = o2

o1 = (x1 + (a ¢ x2)) a = x3 + 5 Left

f1 f2

o2 = (x 1’ + (b ¢ x2’)) b = x3’ + 5 Right

f3 f4

4 function instances 6 comparisons

Technion 42


o1 = (x1 + (a ¢ x2)) a = x3 + 5 Left

f1 f2

o2 = (x 1’ + (b ¢ x2’)) b = x3’ + 5 Right

f3 f4

Guess: validity of equivalence does not rely onf1

= f2 or on f3

= f4

Conclusion: only enforce functional consistency of pairs (Left,Right)

Technion 43


Down to 4 comparisons… (from n(n-1)/2 to n2/4) Another Guess: validity of equivalence only depends on

f1 = f3

and f2 = f4

Pattern matching can be useful here ...

o1 = (x1 + (a ¢ x2)) a = x3 + 5 Left

f1 f2

o2 = (x 1’ + (b ¢ x2’)) b = x3’ + 5 Right

f3 f4

Technion 44


+

¢in

in in

f1, f3

+

in 5

f2, f4

Match accordingto patterns (‘signatures’):

Down to 2 comparisons…

o1 = (x1 + (a ¢ x2)) a = x3 + 5 Left

f1 f2

o2 = (x 1’ + (b ¢ x2’)) b = x3’ + 5 Right

f3 f4

Technion 45


f1, f3

Propagate through intermediate variables:

+

in

in

in

¢

o1 = (x1 + (a ¢ x2)) a = x3 + 5 Left

f1 f2

o2 = (x 1’ + (b ¢ x2’)) b = x3’ + 5 Right

f3 f4

var

+

5

+

in

in

in

¢

+

5

Technion 46

Same example

map F1 to F3


out’0 = (in’ * in’) * in’

With Uninterpreted Functions:



out’0 = F4(F3(in’ , in’) , in’)


F

inin

F

Fin

in in

map F2 to F4

Technion 47

Same example, smaller Verification ConditionWith Uninterpreted Functions:



out’0 = F4(F3(in’ , in’) , in’)

Ea : out0 = in Æ


Eb: out’0 = f4

Ackermann’s reduction:

The Verification Condition has shrunk:

((out0 = in’ Æ in = in’) ! f1 = f3) Æ ((out1 = f3 Æ in= in’) ! f2 = f4)

Æ (in=in’) Æ Ea Æ E

b ! out2 = out’0

Technion 48

now with Bryant’s reduction:With Uninterpreted Functions:



out’0 = F4(F3(in’ , in’) , in’)

Ea : out0 = in Æ


Eb: out’0 =

case case in’=outo Æ in’=in : f1

true : f3 =out1

Æ in’=in: : f2

true : f4

Bryant’s reduction:

The Verification Condition (“the proof obligation”)

Prove validity of: Ea Æ E

b Æ in = in’) ! out2 = out’0

Technion 49

So is Equality Logic with UFs interesting?

1. It is expressible enough to state something interesting.

2. It is semi-decidable and more efficiently solvable than richer logics, for example in which some functions are interpreted.

3. Models which rely on infinite-type variables are more naturally expressed in this logic in comparison with Propositional Logic.

Technion 50

Part II – Introduction to Equality Logic and Uninterpreted Functions

Introduction Definition, complexity Reducing Uninterpreted Functions to Equality Logic Using Uninterpreted Functions in proofs Simplifications

Introduction to the decision procedures The framework: assumptions and Normal Forms General terms and notions Solving a conjunction of equalities Simplifications

Technion 51

Basic assumptions and notations

Input formulas are in NNF Input formulas are checked for satisfiability

Formula with Uninterpreted Functions: UF

Equality formula: E

Technion 52

First: conjunction of equalities

Input: A conjunction of equalities and disequalities

1. Define an equivalence class for each variable. For each equality x = y unite the equivalence classes of x and y. (use a an algorithm for uniting disjoint sets)

2. For each disequality u v if u is in the same equivalence class as v return 'UNSAT'.

3. Return 'SAT'.

Technion 53

Example

x1 = x2 Æ x2 = x3 Æ x4=x5 Æ x5 x1

x1 ,x

2 ,x3 x 4

,x 5

Equivalence class Equivalence class

Is there a disequality between members of the same class ?

Technion 54

Next: add Uninterpreted Functions

x1 = x2 Æ x2 = x3 Æ x4=x5 Æ x5 x1 Æ F(x1) F(x2)

x1 ,x

2 ,x3 x 4

,x 5


F(x1 )

F(x2 )

Technion 55

Next: Compute the Congruence Closure

x1 = x2 Æ x2 = x3 Æ x4=x5 Æ x5 x1 Æ F(x1) F(x2)

x1 ,x

2 ,x3

x 4,x 5


Now - is there a disequality between members of the same class ?This is called the Congruence Closure

F(x1 ),F(x

2 )

Technion 56

And now: consider a Boolean structure

x1 = x2 Ç (x2 = x3 Æ x4=x5 Æ x5 x1 Æ F(x1) F(x2))

x 4,x 5

Equivalence class

x 2,x 3

Equivalence class

case 1 case 2

Syntactic case splitting: this is what we want to avoid!

x1 ,x

2

Equivalence class

Technion 57

Deciding Equality Logic with UFs

Input: Equality Logic formula UF

Convert UF to DNF For each clause:

Define an equivalence class for each variable and each function instance.

For each equality x = y unite the equivalence classes of x and y. For each function symbol F, unite the classes of F(x) and F(y).

If all disequalities are between terms from different equivalence classes, and no two constants are in the same class, return 'SAT'.

Return 'UNSAT'.

Technion 58

Basic notions

E: x = y Æ y = z Æ z x The Equality predicates: {x = y, y = z, z x}

which we can break to two sets:

E= ={x = y, y = z}, E = {z x}

The Equality Graph GE(E) = hV,E=,Ei(a.k.a “E-graph”)

x

y

z

Technion 59

Basic notions

E: x = y Æ y = z Æ z x

unsatisfiable

2E: x = y Æ y = z Ç z x satisfiable

The graph GE(E) represents an abstraction of E

It ignores the Boolean structure of E

x

y

z

Technion 60

Basic notions

Equality Path: a path in E= we write x =*z

Disequality Path: a path in E= with exactly one edge from E. We write x *y

x

y

z

Technion 61

Basic notions

Contradictory Cycle: two nodes x and y, s.t. x=*y and x * y form a contradictory cycle

Dfn: A subgraph is called satisfiable iff the conjunction of the predicates represented by its edges is satisfiable.

Thm: A subgraph is unsatisfiable iff it contains a Contradictory cycle

x

y

z

Technion 62

Basic notions

Thm: Every contradictory cycle is either simple or

contains a simple contradictory cycle

Technion 63

Simplifications, again

Let S be the set of edges that are not part of any contradictory cycle

Thm: replacing all solid edges in S with False, and all dashed edges in S with True, preserves satisfiability

Technion 64

Simplification: example

x1

x2

x3

x4

(x1 = x2 Ç x1 x4) Æ(x1 x3 Ç x2 = x3)

(x1 = x2 Ç True) Æ(x1 x3 Ç x2 = x3)

(: False Ç True) = True

Satisfiable!

True

True

Fals

e

Technion 65

Syntactic vs. Semantic splits

So far we saw how to handle disjunctions through syntactic case-splitting.

There are much better ways to do it than simply transforming it to DNF: Semantic Tableaux, SAT-based splitting, and others.

We will investigate some of these methods later in the course.

Technion 66

Now we start looking at methods that split the search space instead. This is called semantic splitting.

SAT is a very good engine for performing semantic splitting, due to its ability to guide the search, prune the search-space etc.

Syntactic vs. Semantic splits

Documents

Ofer Strichman, Technion 1 Decision Procedures in First Order Logic Part II – Equality Logic and Uninterpreted Functions