1 Decision Procedures An algorithmic point of view Equality Logic and Uninterpreted Functions

1

Decision ProceduresAn algorithmic point of view

Equality Logic andUninterpreted Functions

2

Outline

Introduction Definition, complexity Reducing Uninterpreted Functions to Equality Logic Using Uninterpreted Functions in proofs Simplifications

Introduction to the decision procedures The framework: assumptions and normal forms General terms and notions Solving a conjunction of equalities Simplifications

3

Equality Logic

A Boolean combination of Equalities and Propositionsx1=x2 Æ (x2 = x3 Ç : ((x1 = x3) Æ b Æ x1 = 2))

We will always push negations inside (NNF):x1=x2 Æ (x2 = x3 Ç ((x1 x3) Ç :b Ç x1 2))

Note: the set of Boolean variables is always separate from the set of term variables

4

Equality Logic: the grammar

formula : formula Ç formula | : formula | atom

atom : term-variable = term-variable | term-variable = constant | Boolean-variable

term-variables are defined over some (possible infinite) domain.The constants are from the same domain.

5

Expressiveness and complexity

Allows more natural description of systems, although technically it is as expressible as Propositional Logic.

Clearly NP-hard. In fact, it is in NP, and hence NP-complete, for

reasons we shall see later.

6

Equality logic with uninterpreted functions formula : formula Ç formula

| : formula | atom

atom : term = term | Boolean-variable

term : term-variable| function ( list of terms )

term-variables are defined over some (possible infinite) domain.Note that constants are functions with empty list of terms.

7

What is an uninterpreted function?

The signature includes in addition to equality, function and predicate symbols.

The theory restricts the interpretation of these symbols by a single axiom. For n-ary function F:

Sometimes, functional consistency is all that is needed for the proof.

8

Uninterpreted Functions

Uninterpreted functions are used for abstraction. Example: replace ‘+’ with an uninterpreted

Binary function f (h1st argi , h 2nd arg i) For example:

x1 + x2 = x3+x4 is replaced with

f can represent any binary function, not just +.

9

Example: Circuit Transformations

Circuits consist of combinationalgates and latches (registers)

The combinational gates can be modeled using functions

The latches can be modeled with variables

R1R1

I

Latch

Combi- national part

10


Some function, say I >> 5

Some other function, say L1 & 100110001…

Some bitvector Input

Some condition on L2

11


A pipeline processes data in stages Data is processed in parallel – as in

an assembly line Formal Model:

Stage 1Stage 1

Stage 3Stage 3

Stage 2Stage 2

12


The maximum clock frequency depends on the longest path between two latches

Note that the output of g is usedas input to k

We want to speed up the design by postponing k to the third stage

Also note that the circuit only uses one of L3 or L4, never both

We can remove one of the latches

13


==??

14


Equivalence in this case holds regardless of the actual functions

Conclusion: can be decided using Equality Logic and Uninterpreted Functions

15

For each function in UF: Number function instances

(from the inside out)

Replace each function instance with a new variable

Condition UF with a functional consistency constraint for every pair of instances of thesame function.

UFs Equality Logic: Ackermann’s reduction

F2(F1(x)) = 0

f2 = 0

F( ), G( ),…

((x = f1) f1 = f2 ) f2=0)

Given a formula UF with uninterpreted functions

f1

f2

16

Ackermann’s reduction : Example

Given the formula

(x1 x2) Ç (F(x1) = F(x2)) Ç (F(x1) F(x3))

which we want to check for validity, we first number the function instances:

(x1 x2) Ç (F1(x1) = F2(x2)) Ç (F1(x1) F3(x3))

17

Ackermann’s reduction : Example

(x1 x2) Ç (F1(x1) = F2(x2)) Ç (F1(x1) F3(x3))

Replace each function with a new variable,

(x1 x2) Ç (f1 = f2 ) Ç (f1 f3 )

Condition with Functional Consistency constraints:

18

Given a formula UF with UFs For each function in UF:

Number function instances (from the inside out)

Replace a function instance Fi with an expression

case x1 = xi :f1

x2 = xi : f2

xi-1 =xi :fi-1

true :fi

UFs Equality Logic: Bryant’s reduction

F1(x1) = F2(x2)

F( ), G( ),…

case x1 = x2 : f1

true :f2

f1 =

19

Given a formula UF with UFs For each function in UF:

Number function instances (from the inside out)

Replace a function instance Fi with an expression

case x1 = xi :f1

x2 = xi : f2

xi-1 =xi :fi-1

true :fi

UFs Equality Logic: Bryant’s reduction

F1(x1) = F2(x2)

F( ), G( ),…

(x1 = x2 → f1 = f1) Æ (x1 x2 → f1 = f2)

20

Bryant’s reduction: Example

x1 = x2 F1(G1(x1)) = F2(G2(x2))

Replace each function with an expression where

21

Using UFs in proofs

Uninterpreted functions gives us the ability to represent an abstract view of functions.

It over-approximates the concrete system.

1 + 1 = 1 is a contradiction

But

F (1,1) = 1 is satisfiable !

Conclusion: unless we are careful, we can give wrong answers and this way lose soundness.

22

Using UFs in proofs

In general a sound and incomplete method is more useful than unsound and complete.

A sound but incomplete algorithm: Given a formula with uninterpreted functions UF

:

Transform it to Equality Logic formula E

If E is unsatisfiable return Unsatisfiable Else return ‘Don’t know’

23

Using UFs in proofs

Question #1: is this useful ? Question #2: can it be made complete in some

cases ?

When the abstract view is sufficient for the proof, it enables (or simplifies) a mechanical proof.

So when is the abstract view sufficient ?

24

Using UFs in proofs (cont’d)

(common) Proving equivalence between: Two versions of a hardware design

e.g., one with and one without a pipeline Source and target of a compiler (“Translation

Validation”) (rare) Proving properties that do not rely on the

exact functionality of some of the functions.

25

Example: Translation Validation

Assume the source program has the statementz = (x1 + y1) (x2 + y2)

which the compiler turned into:u1 = x1 + y1;u2 = x2 + y2; z = u1 u2 ;

We need to prove that:(u1 = x1 + y1 u2 = x2 + y2 z = u1 u2) z = (x1 + y1) (x2 + y2)

26

Example (cont’d)

(u1 = x1 + y1 u2 = x2 + y2 z = u1 u2) z = (x1 + y1) (x2 + y2)

(u1 = F1(x1,y1) u2 = F2(x2,y2) z = G1 (u1,u2)) z = G2(F1(x1,y1), F2(x2,y2))

Claim: is valid We will prove this by reducing it to an Equality Logic

formula

UF:

27

Uninterpreted Functions: usability

Good: each function on the left can be mapped to a function on the right with equivalent arguments

Bad: almost all other cases Example:

Left Right

x + x 2x

28

Uninterpreted Functions: usability

This is easy to prove:x1 = x2 y1 = y2 x1 + y1 = x2 + y2

This requires knowledge on commutativity:x1 = y2 y1= x2 x1 + y1 = x2 + y2

easy fix:((x1 = x2 y1 = y2) (x1 = y2 x2 = y1)) f1 = f2

What about other cases ? use Rewriting rules

29

Example: equivalence of C programs (1/4)

These two functions return the same value regardless if

it is ‘*’ or any other function. Conclusion: we can prove equivalence by replacing ‘*’

with an Uninterpreted Function

Power3(int in) {out = in;for (i=0; i < 2; i++)

out = out * in;return out;

}

Power3_new(int in) {out = (in*in)*in;return out;

}

30


But first… we need to know how to write programs as

equations. We will learn one out of several options, namely

Static Single Assignment for Bounded programs.



}


}

31

From programs to equations

Static Single Assignment (SSA) form

Ma ze???

32

Static Single Assignment form

In this case we can replace with a guard: y3 Ã x2 < 3 ? y1 : y2

Problem: What do we do with loops ?

33

SSA for bounded programs

For each loop i in a given program, let ki be a bound on its iteration count.

Unroll the program according to the bounds. We are left with statements and conditions.

34

SSA for bounded programs

:

x = 0;

while (x < y) {

x++;

z = z + y;

}

x = 0;

z = z * 2;

Let k1 = 2 … x0 = 0

guard0 = x0 < y0

x1 = guard0 ? x0 + 1:x0

z1 = guard0 ? z0 + y0:z0

guard1 = x1 < y0

x2 = guard1 ? x1 + 1: x1

z2 = guard1 ? z1 + y0: z1

x4 = 0

z3 = z2 * 2

35




}


}

out0 = in Æout1 = out0 * in Æout2 = out1 * in

out’0 = (in’ * in’) * in’

Prove that both functions return the same value (out2 = out’0) given that in = in’

Static Single Assignment (SSA) form:

36



out’0 = (in’ * in’) * in’

With Uninterpreted Functions:

out0 = in Æout1 = F1 (out0 , in) Æ

out2 = F2 (out1 , in)

out’0 = F4(F3(in’ , in’) , in’)


37

Example: equivalence of C programs (4/4)With Uninterpreted Functions:



out’0 = F4(F3(in’ , in’) , in’)

Ea : out0 = in Æ

out1 = f1 Æout2 = f2

Eb: out’0 = f4

Ackermann’s reduction:

The Verification Condition (“the proof obligation”)

((out0 = out1 Æ in = in) ! f1 = f2) Æ ((out0 = in’ Æ in = in’) ! f1 = f3) Æ ((out0 = f3 Æ in= in’) ! f1 = f4) Æ ((out1 = in’ Æ in= in’) ! f2 = f3) Æ ((out1 = f3 Æ in= in’) ! f2 = f4) Æ ((in’ = f3 Æ in’ = in’) ! f3 = f4)

Æ (in=in’) Æ

Ea Æ E

b ! out2 = out’0

38

Uninterpreted Functions: simplifications

Let n be the number of function instances of F() Both reduction schemes require O(n2) comparisons This can be the bottleneck of the verification effort

Solution: try to guess the pairing of functions Still sound: wrong guess can only make a valid

formula invalid

39

UFs: simplifications (1)

Given that x1 = x1’, x2 = x2’, x3 = x3’, prove ² o1 = o2

o1 = (x1 + (a ¢ x2)) a = x3 + 5 Left

f1 f2

o2 = (x1’ + (b ¢ x2’)) b = x3’ + 5 Right

f3 f4

4 function instances 6 comparisons

40


o1 = (x1 + (a ¢ x2)) a = x3 + 5 Left

f1 f2

o2 = (x1’ + (b ¢ x2’)) b = x3’ + 5 Right

f3 f4

Guess: validity of equivalence does not rely onf1

= f2 or on f3

= f4

Conclusion: only enforce functional consistency of pairs (Left,Right)

41


Down to 4 comparisons… (from n(n-1)/2 to n2/4) Another Guess: validity of equivalence only

depends on f1 = f3

and f2 = f4

Pattern matching can be useful here ...

o1 = (x1 + (a ¢ x2)) a = x3 + 5 Left

f1 f2

o2 = (x1’ + (b ¢ x2’)) b = x3’ + 5 Right

f3 f4

42


+

¢in

in in

f1, f3

+

in 5

f2, f4

Match accordingto patterns (‘signatures’):

Down to 2 comparisons…

o1 = (x1 + (a ¢ x2)) a = x3 + 5 Left

f1 f2

o2 = (x1’ + (b ¢ x2’)) b = x3’ + 5 Right

f3 f4

43


f1, f3

Propagate through intermediate variables:

+

in

in

in

¢

o1 = (x1 + (a ¢ x2)) a = x3 + 5 Left

f1 f2

o2 = (x1’ + (b ¢ x2’)) b = x3’ + 5 Right

f3 f4

var

+

5

+

in

in

in

¢

+

5

44

Same example

map F1 to F3


out’0 = (in’ * in’) * in’




out’0 = F4(F3(in’ , in’) , in’)


F

inin

F

Fin

in in

map F2 to F4

45

Same example, smaller Verification Condition




out’0 = F4(F3(in’ , in’) , in’)

Ea : out0 = in Æ


Eb: out’0 = f4

Ackermann’s reduction:

The Verification Condition has shrunk:

((out0 = in’ Æ in = in’) ! f1 = f3) Æ ((out1 = f3 Æ in= in’) ! f2 = f4)

Æ (in=in’) Æ Ea Æ E

b ! out2 = out’0

46

now with Bryant’s reduction:With Uninterpreted Functions:



out’0 = F4(F3(in’ , in’) , in’)

Ea : out0 = in Æ


Eb: out’0 =

case case in’=outo Æ in’=in : f1

true : f3 =out1

Æ in’=in: : f2

true : f4

Bryant’s reduction:

The Verification Condition (“the proof obligation”)

Prove validity of: Ea Æ E

b Æ in = in’) ! out2 = out’0

47

So is Equality Logic with UFs interesting ?

1. It is expressible enough to state something interesting.

2. It is decidable and more efficiently solvable than richer logics, for example in which some functions are interpreted.

3. On the other, hand replacing functions with UF is an abstraction.

4. Models which rely on infinite-type variables are more naturally expressed in this logic in comparison with Propositional Logic.

Documents

1 Decision Procedures An algorithmic point of view Equality Logic and Uninterpreted Functions