Reasoning about Arrays

Aaron R. Bradley

CU Boulder

max := a[l];

for(i := l+1; i <= u; i++)

if (a[i] > max) max := a[i];

Establish postcondition:

∀j. l ≤ j ≤ u → a[j] ≤ max

Loop invariant:

∀j. l ≤ j < i → a[j] ≤ max

Also establish postcondition:

∀j. a[j] = a0[j]

for(i := 0; i < length(sets); i++)

u := union(u, sets[i]);

Given postcondition of union(u, v):

rv = u ∪ v

Establish postcondition:

∀j. 0 ≤ j ≤ |sets| → sets[j] ⊆ u

Loop invariant:

∀j. 0 ≤ j < i → sets[j] ⊆ u

Loop invariant:

∀j. 0 ≤ j < i → sets[j] ⊆ u

Translation:

∀j. 0 ≤ j < i → ∀e. sets[j][e] → u[e]

Sets

• e ∈ s : s[e]

• s ⊆ t ∀e. s[e] → t[e]

• s ⊂ t (∀e. s[e] → t[e]) ∧ (∃e1. ¬s[e1] ∧ t[e1])

• s = t ∩ u ∀e. s[e] ↔ t[e] ∧ u[e]

• s = t ∀e. s[e] ↔ ¬t[e]

Multisets (bags)

• C(s, e) s[e]

• s = t ⊎ u ∀e. s[e] = t[e] + u[e]

• . . .

assert(v >= 0);

ht := put(ht, k, v);

Precondition:

∀j ∈ keys(ht). get(ht, j) ≥ 0

Establish postcondition:

∀j ∈ keys(ht). get(ht, j) ≥ 0

Verification condition:

(∀j ∈ keys(ht). get(ht, j) ≥ 0)

∧ v ≥ 0 ∧ h′ = put(ht, k, v)

→ (∀j ∈ keys(h′). get(h′, j) ≥ 0)

Flat data structures

• Integer-indexed arrays

• Collections: sets, multisets (bags)

• Hashtables

Model and reason about them as arrays (uninterpreted functions).

First-Order Theory

T : (Σ,A)

• Signature Σ: non-logical symbols (a, b, +, <, . . . )

• Axioms A: formulae interpreting symbols

T -Interpretation I : (D,α)

• Domain D: set of objects

• Assignment α: assigns Σ-symbols to domain elements,

functions, predicates

• for each F ∈ A, I |= F

Σ-formula F is T -valid iff for every T -interpretation I , I |= F .

F is T -valid

iff

¬F is T -unsatisfiable

Decision Problem for T

Decide if Σ-formula F is T -valid.

T is set of T -valid Σ-formulae.

TA: First-Order Theory of Arrays

Signature:

ΣA : {a[i], a〈i ⊳ v〉, =}

Axioms:

• Equality axioms

• Infinite domain axiom schema: for all n > 0

∀i1, . . . , in. ∃j.

n∧

k=1

j 6= ik

• Read-over-write

∀a, i, j, v. i = j → a〈i ⊳ v〉[j] = v

∀a, i, j, v. i 6= j → a〈i ⊳ v〉[j] = a[j]

T Z

A: First-Order Theory of Integer-Indexed Arrays

Signature:

ΣZ

A: ΣA ∪ ΣZ = {a[i], a〈i ⊳ v〉, =, 0, 1, +, ≥}

Axioms:

• Axioms of integer arithmetic

• Equality axioms

• Read-over-write

∀a, i, j, v. i = j → a〈i ⊳ v〉[j] = v

∀a, i, j, v. i 6= j → a〈i ⊳ v〉[j] = a[j]

Fragment of T

Subset of T given by syntactic restriction.

Example: “quantifier-free” fragment (QFF) of TA

Is

a[i] = e1 ∧ e1 6= e2 → a〈i ⊳ e2〉[i] 6= a[i]

TA-valid?

Alternately, is

a[i] = e1 ∧ e1 6= e2 ∧ a〈i ⊳ e2〉[i] = a[i]

TA-unsatisfiable?

Nelson-Oppen Combination Method

Given :

• Theories T1, . . . , Tk that share only = (and are stably infinite)

• Decision procedures P1, . . . , Pk

• Quantifier-free (Σ1 ∪ · · · ∪ Σk)-formula F

Decide if F is (T1 ∪ · · · ∪ Tk)-satisfiable using P1, . . . , Pk.

Think about arrays in context of Nelson-Oppen.

History

• 1962: John McCarthy formalizes arrays as first-order theory TA.

• 1969: James King describes and implements DP for QFF of TA.

• 1979: Nelson & Oppen describe combination method for QF

theories sharing =.

• 1980s: Suzuki, Jefferson; Jaffar; Mateti describe DPs for QFF of

theories of arrays with predicates for sorted, partitioned, etc.

• 1997: Levitt describes DP for QFF of extensional theory of

arrays in thesis.

• 2001: Stump, Barrett, Dill, Levitt describe DP for QFF of

extensional theory of arrays.

• 2006: Bradley, Manna, Sipma describe DP for array property

fragment of TA, T Z

A.

• Other recent references:

– Sofronie-Stokkermans et al.: local theory extensions

– Ghilardi, Nicolini, Ranise, Zucchelli

– Iosef, Habermehl, Vojnar: use flat counter automata

– Fontaine: Combinations with Bernays-Schonfinkel-Ramsey

class

Array Property Fragment of TA

Array property :

∀i. F [i] → G[a[i]]

• F : index guard

iguard := iguard ∧ iguard | iguard ∨ iguard | atom

atom := var = var | evar 6= var | var 6= evar | ⊤

var := evar | uvar

• G: value constraint

i only appears in a[i] (possibly within nested array properties)

Array property fragment : Boolean combination of array properties

and QF formulae.

Array Property Fragment of TA ∪ T

Same definition when T is a Nelson-Oppen theory.

Decision Procedure

Given : Array property formula F

1. F1: push negations to atoms

2. F2: Eliminate writes

G[a〈i ⊳ v〉]

G[a′] ∧ a′[i] = v ∧ (∀j. j 6= i → a[j] = a′[j])

3. Construct index set

I : {t : t is symbolic index} ∪ {κ}

4. F4: κ is unique

F2 ∧∧

t∈I\κ

κ 6= t

5. F5: Instantiate quantifiers

H[∀i. G[i]] =⇒ H

[

∧

t∈I

G[t]

]

6. F5 is QF. Decide satisfiability using Nelson-Oppen DP.

Example: Extensional theory (Stump et al., 2001)

a = b〈i ⊳ v〉 ∧ a[i] 6= v

In array property fragment:

(∀j. a[j] = b〈i ⊳ v〉[j]) ∧ a[i] 6= v

Eliminate write:

(∀j. a[j] = b′[j]) ∧ a[i] 6= v

∧ b′[i] = v ∧ (∀j. j 6= i → b′[j] = b[j])

Index set:

I : {i, κ}

QF formula:

a[i] = b′[i] ∧ a[κ] = b′[κ]

∧ a[i] 6= v ∧ b′[i] = v

∧ (i 6= i → b′[i] = b[i]) ∧ (κ 6= i → b′[κ] = b[κ])

∧ κ 6= i

Simplified:

a[i] = b′[i] ∧ a[κ] = b′[κ]

∧ a[i] 6= v ∧ b′[i] = v

∧ b′[κ] = b[κ]

∧ κ 6= i

Why κ?

(∀i. a[i] > 0) ∧ (∀i. a[i] < 0)

But requires infinite domain for indices. Recall axiom schema:

For all n > 0

∀i1, . . . , in. ∃j.

n∧

k=1

j 6= ik

Correctness

• Sound? It’s just quantifier elimination (except for κ).

• Complete?

Assume I |= F5. Construct J such that J |= F .

proj(t) =

i if αI [t] = vi for some i ∈ I

κ otherwise

F [proj(i)] G[a[proj(i)]]

K |=

F [i] G[a[i]]

(1) (2)

?

Array Property Fragment of T Z

A

Array property :

∀i. F [i] → G[a[i]]

• F : index guard

iguard := iguard ∧ iguard | iguard ∨ iguard | atom

atom := expr ≤ expr | expr = expr

expr := uvar | pexpr

pexpr := pexpr′

pexpr′ := Z | Z · evar | pexpr′ + pexpr′

• G: value constraint

i only appears in a[i] (possibly within nested array properties)

Array property fragment : Boolean combination of array properties

and QF formulae.

Decision Procedure

Given : Array property formula F

1. F1: push negations to atoms

2. F2: Eliminate writes

G[a〈i ⊳ v〉]

G[a′] ∧ a′[i] = v

∧ (∀j. j ≤ i − 1 ∨ i + 1 ≤ j → a[j] = a′[j])

3. Construct index set

I : {t : t is symbolic index} ({0} if empty)

4. F4: Instantiate quantifiers

H[∀i. G[i]] =⇒ H

[

∧

t∈I

G[t]

]

5. F4 is QF. Decide satisfiability using Nelson-Oppen DP.

Example

sorted(a, ℓ, u) : ∀i, j. ℓ ≤ i ≤ j ≤ u → a[i] ≤ a[j]

Is

sorted(a〈0 ⊳ 0〉〈5 ⊳ 1〉, 0, 5) ∧ sorted(a〈0 ⊳ 10〉〈5 ⊳ 11〉, 0, 5)

(T Z

A∪ TZ)-satisfiable?

0 w x y z 1

10 w x y z 11

Example

sorted(a〈0 ⊳ 0〉〈5 ⊳ 1〉, 0, 5) ∧ sorted(a〈0 ⊳ 10〉〈5 ⊳ 11〉, 0, 5)

Index set: {−1, 0, 1, 4, 5, 6}

• {0, 5} from 0 ≤ i ≤ j ≤ 5

• {−1, 1} from ·〈0 ⊳ ·〉

• {4, 6} from ·〈5 ⊳ ·〉

Contradiction: 0 ≤ a[1] ≤ 1 ∧ 10 ≤ a[1] ≤ 11

Need 1 or 4 in index set.

Complexity

Quantifier elimination is in NEXP for Nelson-Oppen theories:

1. |I| is linear in size of F , so linear-time quantifier instantiation.

2. NP DPs applied to QF formula at most exponentially larger than

F .

3. Exponential in largest stack of universal quantifiers.

Fixing stack height (“extensional”, “sorting” fragment) gives NP

procedure.

Complexity

NEXP-hard even for uninterpreted domain and range.

• Bernays-Schonfinkel-Ramsey (BSR) class: ∃∗∀∗, only

predicates

• Deciding satisfiability is NEXP-complete

• Reduction:

∃x. F [x] =⇒ ∃x. d(x) ∧ F [x]

∀x. F [x] =⇒ ∀x. d(x) → F [x]

Why d? Only infinite TA-interpretations, but possible finite

BSR-interpretations.

Thanks to De Moura, Bjorner, Kuncak for mentioning BSR.

Undecidable Extensions

• Extra quantifier alternation

• Nested reads under ∀i: a[a[i]]

• No separation: ∀i. F [a[i], i]

• Arithmetic: a[i + 1] when i is universal

• Strict comparison: i < j when i, j are universal

• Permutation predicate

Reduce from undecidability of Diophantine equations:

p(x1, . . . , xn) = 0

(over nonnegative x)

“Walk”:

• Begin at origin.

• At each step, increment one xi.

• End at solution.

A walk exists iff p(x) = 0 has a solution.

1. q(x) = p(x)2

q(x) > 0 on walk, except at solution

2. Difference tree:

a : x2 − 2xy + y2

b : 2x − 2y + 1 c : −2x + 2y + 1

2 −2 −2 2

3. Walk arithmetic is linear arithmetic :

Initially (a, b, c) = (0, 1, 1)

x := x + 1 (a, b, c) := (a + b, b + 2, c − 2)

y := y + 1 (a, b, c) := (a + c, b − 2, c + 2)

Initial condition:

θ(i) :∧

p

ap[i] = p(0)

Transition relation for variable x:

ρx(i, j) :∧

p

ap[j] = ap[i] + a∆xp[i]

Idle transition:

ρ0(i, j) : a[i] = a[j]

Easy: extra quantifier alternation

∃a, s. ∀i. ∃j.

θ(0)

∧

(

ρ0(i, j) ∨∨

x

ρx(i, j)

)

∧ s[j] = s[i] − aq[i]

∧ s[i] > 0

Tricky: permutation predicate perm(a, b)

Define identifiers:

perm(a, b) ∧ ∀i. b[i] = a[i] + 1

Bounded case for integer-indexed arrays: n identifiers

a[0] = n ∧ b[0] = 0 ∧ perm(a, b, 0, n)

∧ ∀i. 0 < i ≤ n → 0 ≤ a[i], b[i] ≤ n ∧ b[i] = a[i] + 1

Unbounded case:

∃a, d, e, z, n. ∀i, j.

θ(z)

∧

(d[j] > 0 ∧ d[j] = d[i] + 1)

∨ (d[j] < 0 ∧ d[j] = d[i] − 1)

→∨

x

ρx(i, j)

∧ aq[n] = 0

∧ d[z] = 0 ∧ perm(d, e) ∧ ∀i. e[i] = d[i] + 1

Open: ∀i, j. i 6= j → a[i] 6= a[j]

• For integer-indexed arrays: undecidable

• Otherwise: ?

Incremental Instantiation

1. Instantiate F to F ′

2. Find I |= F ′ (otherwise, F is unsatisfiable)

3. Construct G : ¬F [I]

4. Find J |= G (otherwise, F is satisfiable)

5. Enlarge instantiation set (according to I and J ) and repeat

May avoid full instantiation (whether satisfiable or unsatisfiable)

Summary

• Array property fragments allow encoding

– properties of arrays and array segments

– operations on sets, multisets, and hashtables

• Simple decision procedure: quantifier instantiation

• Larger natural fragments are undecidable