a framework for cooperating decision procedures

Computer Systems LaboratoryStanford University

Clark W. BarrettDavid L. Dill

Aaron Stump

A Framework for Cooperating Decision

Procedures

A Framework for Cooperating Decision

Procedures

OutlineOutline

Motivation

The Framework

Correctness of the Framework

Using the Framework

Conclusions

The Need for Decision ProceduresThe Need for Decision Procedures

Many interesting and practical problems can be expressed as problems in a decidable theory.

General purpose decision procedures can save time and effort when approaching new problems.

Decision procedures have been used in theorem proving, model checking, symbolic simulation, system specification, and other applications, many of which were unanticipated.

The Stanford Validity Checker (SVC)The Stanford Validity Checker (SVC)

This work is a result of ongoing attempts to improve the decision procedures of SVC.

Despite theoretical and architectural weaknesses, SVC has been surprisingly successful.

Our goals with SVC include the following: Provably correct, Adequately expressive, yet still decidable, Flexible and easy to extend, Maximum performance.

SVC Core: Cooperating Decision Procedures

SVC Core: Cooperating Decision Procedures

Suppose are decidable theories,

with disjoint signatures

Let and

is a quantifier-free formula in the

language of .

Is satisfiable in the theory

nTT 1.1 n

iTT .i

?T

Cooperating Decision ProceduresCooperating Decision Procedures

Two main approaches Nelson and Oppen [‘79] Shostak [‘84]

Original papers are confusing and incomplete. [Tinelli & Harandi ‘96] [Cyrluk et al. ‘96, Shankar & Ruess ‘00]

This work seeks to unify and further clarify these two approaches.

OutlineOutline

Motivation

The Framework

Correctness of the Framework

Using the Framework

Conclusions

PreliminariesPreliminaries

Expressions DAG representation of terms and formulas. Operator applied to 0 or more children.

Union-Find Each expression (including Boolean constants

true and false) belongs to an equivalence class with a unique representative.

Find(x) returns the equivalence class representative of x.

Union(x,y) merges the equivalence classes associated with x and y and makes y the new representative.

Framework Interface Framework Interface

AddFormula() ( a literal in ) C := C {}; (Initially, C = Ø)

Satisfiable() Returns TRUE iff Find(true) Find(false).

Satisfiability of an arbitrary formula in is determined by converting to DNF and then testing each conjunct for satisfiability.

The FrameworkThe Framework

AddFormula Assert Simplify

Setup Merge Rewrite

’

Theory-specific code

a=b

a,b

tt’

tt’t a=b

Propagate

AddFormula and AssertAddFormula and Assert

Assert() processes the formula by first simplifying it and then calling Merge.

AddFormula is a wrapper around Assert which allows each theory to assert new facts.

AddFormula()

Assert( );

REPEAT

FOREACH theory i DO

Propagate(i);

UNTIL no change;

Assert()

’ := Simplify();

IF ’ not an equation THEN

’ := (’ = true);

Merge(’);

The FrameworkThe Framework

AddFormula Assert Simplify

Setup Merge Rewrite

’

Theory-specific code

a=b

a,b

tt’

tt’t a=b

Propagate

Simplify and RewriteSimplify and Rewrite

Simplify returns an expression which is equivalent in the current context. Recursively replaces each sub-expression

with its equivalence class representative. Applies theory-specific rewrites.

Simplify()

IF Find() THEN

RETURN Find();

’ := Simplify each child of ;

’ := Rewrite(’);

RETURN ’;

Rewrite(t)

t’ := TheoryRewrite(t);

IF t t’ THEN

t’ := Rewrite(t’);

RETURN t’;

The FrameworkThe Framework

AddFormula Assert Simplify

Setup Merge Rewrite

’

Theory-specific code

a=b

a,b

tt’

tt’t a=b

Propagate

Setup and MergeSetup and Merge

Merge records that two expressions a and b are equal by merging their equivalence classes. Calls Setup on each expression. Notifies theories that care about a.

Merge(a=b)

Setup(a);Setup(b);

Union(a,b);

FOREACH <f,d>a.notify

Call f(a=b,d);

Setup(t)

IF Find(t) THEN RETURN;

FOREACH child c Setup(c);

TheorySetup(c);

Find(c) := c;

A Simple ExampleA Simple Example

AddFormula Assert Simplify

Setup Merge Rewrite

’

Theory-specific code

a=b

a,b

tt’

tt’t a=b

Propagate

a = b

a = b a = b

a = ba = b

a = b

b = b

b = b

b = b true

true

true

trueFind(a) = b

OutlineOutline

Motivation

The Framework

Correctness of the Framework

Using the Framework

Conclusions

Approach to CorrectnessApproach to Correctness

Develop a set of preconditions and requirements that must hold for the framework to be correct.

Prove that, as long as the code associated with individual theories adheres to these general requirements, the framework is correct.

Prove the main theorems once, then prove a small set of theorems each time a theory is added.

Example: CompletenessExample: Completeness

Theorem [Tinelli et al. ‘96]:

Let T1 and T2 be two disjoint theories and let 1 be a formula in the language of T1 and 2 a formula in the language of T2.

Let V be the set of their shared variables and let (V) be an arrangement of V.

If 1 (V) is satisfiable in T1 and

2 (V) is satisfiable in T2, then

1 2 is satisfiable in T1 T2.

Example: CompletenessExample: Completeness

Every formula recorded by Merge is associated with an individual theory.

Each theory Ti determines whether the conjunction of its formulas together with the arrangement of shared variables induced by the expression equivalence classes is satisfiable in Ti.

By application of the previous theorem, we can then determine whether the conjunction of all formulas recorded by Merge is satisfiable.

OutlineOutline

Motivation

The Framework

Correctness of the Framework

Using the Framework

Conclusions

The FrameworkThe Framework

AddFormula Assert Simplify

Setup Merge Rewrite

’

Theory-specific code

a=b

a,b

tt’

tt’t a=b

Propagate

Nelson-Oppen Style CombinationsNelson-Oppen Style Combinations

Input formulas are transformed into equivalent formulas, each of which is in a single theory.

Suppose f and g are symbols from two different theories.

))(( xgfy )()( xgzzfy Each theory must determine whether any

equalities between (shared) variables are entailed by its formulas and propagate these equalities.

Our Approach to Nelson-OppenOur Approach to Nelson-Oppen

The flexible nature of the framework allows us to directly implement and prove correctness of a more efficient algorithm: Don’t transform the formulas or introduce new

variables. It is sufficient to partition the formulas and mark which terms are “used” by more than one theory.

Only propagate equalities between terms used by more than one theory, and only to theories which use the left side of the equality.

Nelson-Oppen ExampleNelson-Oppen Example

][

)0,,(

))()(()0(

isxy

sitwriteyx

yhxhPP

Combines three theories: Uninterpreted functions Arithmetic with inequalities Arrays

Nelson-Oppen ExampleNelson-Oppen Example

AddFormula Assert Simplify

Setup Merge Rewrite

’a=b

a,b

tt’

tt’t a=b

Propagate

][)0,,())()(()0( isxysitwriteyxyhxhPP

Uninterpreted Arithmetic Arrays

falseP )0(

falseP )0(

)0(P

00

)0(P

0 )0(P falseP )0(

))()(( yhxhP

trueyhxhP ))()((

))()(( yhxhP

))()(( yhxhP

),(),(,,, yhxhyx ),(),(, yhxh

trueyhxhP ))()((

))()(( yhxhP

yx

trueyx yx

yx

,, yx)()( yhxh

trueyx

yx

sitwrite )0,,(

sitwrite )0,,()0,,( itwrite

)0,,( itwrite

,,0,, sit)0,,( itwrite

sitwrite )0,,(

sitwrite )0,,()()( yhxh

][isxy

trueisxy ][

][isxy

][isxy

][, isx ],[is ],[is

trueisxy ][

][isxy

0][ is yx )()( yhxh 0)()( yhxh falsetrue

Shostak Style CombinationsShostak Style Combinations

More efficient than Nelson-Oppen, but not

as widely applicable.

Only applies to theories which are

canonizable and algebraically solvable.

Input formulas are solved for a single

variable.

No need to propagate equalities.

Our Approach to ShostakOur Approach to Shostak

Use theory-specific Rewrite code to solve and canonize formulas.

Both Shostak and Nelson-Oppen style theories can be integrated in the same framework.

Proof of correctness is easier than in other treatments of Shostak because we can treat uninterpreted functions as belonging to a separate Nelson-Oppen style theory.

OutlineOutline

Motivation

The Framework

Correctness of the Framework

Using the Framework

Conclusions

ConclusionsConclusions

What Have We Learned? There is a demand for efficient cooperating

decision procedures. Getting it right is hard. A solid theoretical foundation is necessary.

Future Work The next version of SVC is under development. New theories. Relax restrictions on what kinds of theories

can be integrated.

Stay tunedStay tuned

Visit the SVC home page at http://verify.stanford.edu/SVC