verification of uninterpreted and partially interpreted ...vicaryjo/owls/slides/umang.pdf · umang...
TRANSCRIPT
![Page 1: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/1.jpg)
Verification of Uninterpreted and Partially
Interpreted Programs
Umang MathurJoint work with
Madhusudan Parthasarathy and Mahesh Viswanathan
University of Illinois at Urbana Champaign
![Page 2: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/2.jpg)
Table of contents
1. Introduction
2. Uninterpreted Programs
Syntax and Semantics
Verification
3. Coherence
Verification of Coherent Programs
Checking Coherence
4. k-Coherence
5. Verification Modulo Theories
1
![Page 3: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/3.jpg)
Introduction
![Page 4: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/4.jpg)
Program Verification
Program verification is undecidable, in general.
However, decidable classes do exist:
• Programs without loops or recursion (straight-line)
• Programs working over finite domains (Boolean programs)
• Models like Petri Nets - not natural for modeling programs
Today : Decidable verification for programs with loops/recursion while
working over infinite domains.
2
![Page 5: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/5.jpg)
Uninterpreted Programs
![Page 6: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/6.jpg)
What are Uninterpreted Programs?
• Programs over an uninterpreted vocabulary
- Constant, function and relation symbols are completely
uninterpreted.
• Work over arbitrary data models
- Data models provide interpretations to symbols in the program.
• Satisfy φ if φ holds in all data models
3
![Page 7: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/7.jpg)
Uninterpreted Programs: Syntax
Fix a finite set V of program variables.
Fix a first order vocabulary Σ = (C,F ,R).
Program Syntax
〈stmt〉 ::= skip | x := c | x := y | x := f (z)
| if (〈cond〉) then 〈stmt〉 else 〈stmt〉 | while (〈cond〉) 〈stmt〉| assume (〈cond〉) | 〈stmt〉 ; 〈stmt〉
〈cond〉 ::= true | x = y | x = c | c = d | R(z)
| 〈cond〉 ∨ 〈cond〉 | ¬〈cond〉
where, x , y , z ∈ V , c ∈ C, f ∈ F and R ∈ R.
4
![Page 8: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/8.jpg)
Example
assume (T 6= F);
b := F;
while (x 6= y) {d := key(x);
if (d = k) then {b := T;
r := x;
}x := n(x);
}
• Searches for an element with
key k in a list starting at x and
ending at y.
• T and F are uninterpreted
constants
• key and n are uninterpreted
functions
5
![Page 9: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/9.jpg)
Example
assume (T 6= F);
b := F;
while (x 6= y) {d := key(x);
if (d = k) then {b := T;
r := x;
}x := n(x);
}
• Searches for an element with
key k in a list starting at x and
ending at y.
• T and F are uninterpreted
constants
• key and n are uninterpreted
functions
5
![Page 10: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/10.jpg)
Example
assume (T 6= F);
b := F;
while (x 6= y) {d := key(x);
if (d = k) then {b := T;
r := x;
}x := n(x);
}
• Searches for an element with
key k in a list starting at x and
ending at y.
• T and F are uninterpreted
constants
• key and n are uninterpreted
functions
5
![Page 11: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/11.jpg)
Uninterpreted Programs: Executions
Executions are finite sequences over the following alphabet
Π =
“x := y”, “x := f (z)”,
“assume(x = y)”, “assume(x 6= y)”,
“assume(R(z))”, “assume(¬R(z))”
∣∣∣∣∣ x , y , z ∈ V ,
f ∈ F ,R ∈ R
Set of executions is a regular language defined inductively:
Exec(skip) = {ε}Exec(x := y) = {“x := y”}Exec(x := f (z)) = {“x := f (z)”}Exec(assume(c)) = {“assume(c)”}
Exec(if c then s1 else s2) ={“assume(c)”} · Exec(s1)
∪{“assume(¬c)”} · Exec(s2)
Exec(s1; s2) = Exec(s1) · Exec(s2)
Exec(while c {s}) =({“assume(c)”}·Exec(s)
)∗·{“assume(¬c)”}
6
![Page 12: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/12.jpg)
Uninterpreted Programs: Executions
Executions are finite sequences over the following alphabet
Π =
“x := y”, “x := f (z)”,
“assume(x = y)”, “assume(x 6= y)”,
“assume(R(z))”, “assume(¬R(z))”
∣∣∣∣∣ x , y , z ∈ V ,
f ∈ F ,R ∈ R
Set of executions is a regular language defined inductively:
Exec(skip) = {ε}Exec(x := y) = {“x := y”}Exec(x := f (z)) = {“x := f (z)”}Exec(assume(c)) = {“assume(c)”}
Exec(if c then s1 else s2) ={“assume(c)”} · Exec(s1)
∪{“assume(¬c)”} · Exec(s2)
Exec(s1; s2) = Exec(s1) · Exec(s2)
Exec(while c {s}) =({“assume(c)”}·Exec(s)
)∗·{“assume(¬c)”}
6
![Page 13: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/13.jpg)
Uninterpreted Programs: Semantics
Semantics given by a first order structure M = (UM, JKM) on Σ.
Definition (Values of Variables)
valM(ε, x) = JxKM for every x ∈ V
valM(ρ·“x := y”, z) = valM(ρ, y) if z is x
valM(ρ·“x := f (z1, . . .)”, y) = Jf KM(valM(ρ, z1), . . .) if y is x
valM(ρ·a, x) = valM(ρ, x) otherwise
7
![Page 14: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/14.jpg)
Uninterpreted Programs: Semantics
Semantics given by a first order structure M = (UM, JKM) on Σ.
Definition (Feasibility of Execution)
An execution ρ is feasible in M if for every prefix σ′ = σ · “assume(c)” of
ρ, we have
1. valM(σ, x) = valM(σ, y) if c is (x = y),
2. valM(σ, x) 6= valM(σ, y) if c is (x 6= y),
3. (valM(σ, z1), . . . , valM(σ, zr )) ∈ JRKM if c is R(z1, . . . , zr ), and
4. (valM(σ, z1), . . . , valM(σ, zr )) 6∈ JRKM if c is ¬R(z1, . . . , zr ).
7
![Page 15: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/15.jpg)
Uninterpreted Programs: Verification
Definition (Verification of Uninterpreted Programs)
Let P ∈ 〈stmt〉 be an uninterpreted program and let ϕ be an assertion in
the following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ iff for every execution ρ ∈ Exec(P) and for every FO structure M
such that ρ is feasible in M, M satisfies ϕ[valM(ρ,V )/V ].
Theorem [1, 3]
Verification of uninterpreted programs is undecidable.
8
![Page 16: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/16.jpg)
Uninterpreted Programs: Verification
Definition (Verification of Uninterpreted Programs)
Let P ∈ 〈stmt〉 be an uninterpreted program and let ϕ be an assertion in
the following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ
iff for every execution ρ ∈ Exec(P) and for every FO structure M
such that ρ is feasible in M, M satisfies ϕ[valM(ρ,V )/V ].
Theorem [1, 3]
Verification of uninterpreted programs is undecidable.
8
![Page 17: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/17.jpg)
Uninterpreted Programs: Verification
Definition (Verification of Uninterpreted Programs)
Let P ∈ 〈stmt〉 be an uninterpreted program and let ϕ be an assertion in
the following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ iff for every execution ρ ∈ Exec(P)
and for every FO structure M
such that ρ is feasible in M, M satisfies ϕ[valM(ρ,V )/V ].
Theorem [1, 3]
Verification of uninterpreted programs is undecidable.
8
![Page 18: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/18.jpg)
Uninterpreted Programs: Verification
Definition (Verification of Uninterpreted Programs)
Let P ∈ 〈stmt〉 be an uninterpreted program and let ϕ be an assertion in
the following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ iff for every execution ρ ∈ Exec(P) and for every FO structure M
such that ρ is feasible in M,
M satisfies ϕ[valM(ρ,V )/V ].
Theorem [1, 3]
Verification of uninterpreted programs is undecidable.
8
![Page 19: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/19.jpg)
Uninterpreted Programs: Verification
Definition (Verification of Uninterpreted Programs)
Let P ∈ 〈stmt〉 be an uninterpreted program and let ϕ be an assertion in
the following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ iff for every execution ρ ∈ Exec(P) and for every FO structure M
such that ρ is feasible in M, M satisfies ϕ[valM(ρ,V )/V ].
Theorem [1, 3]
Verification of uninterpreted programs is undecidable.
8
![Page 20: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/20.jpg)
Uninterpreted Programs: Verification
Definition (Verification of Uninterpreted Programs)
Let P ∈ 〈stmt〉 be an uninterpreted program and let ϕ be an assertion in
the following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ iff for every execution ρ ∈ Exec(P) and for every FO structure M
such that ρ is feasible in M, M satisfies ϕ[valM(ρ,V )/V ].
Theorem [1, 3]
Verification of uninterpreted programs is undecidable.
8
![Page 21: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/21.jpg)
Coherence
![Page 22: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/22.jpg)
How do we verify a single execution?
Execution ρ
assume(T 6= F)
b := F
assume(x 6= y)
d := key(x)
assume(d = k)
b := T
r := x
x := n(x)
assume(x = y)
ϕ ≡ b=T⇒ key(r)=k
VC (ρ, ϕ)
T 6= F
∧ b1 = F
∧ x0 6= y0
∧ d1 = key(x0)
∧ d1 = k0
∧ b2 = T
∧ r1 = x0
∧ x1 = n(x0)
∧ x1 = y0
⇒ (b2 = T⇒ key(r1) = k0)
ϕ holds in every M in
which ρ is feasibleiff VC (ρ, ϕ) is valid in TEUF
9
![Page 23: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/23.jpg)
How do we verify a single execution?
Execution ρ
assume(T 6= F)
b := F
assume(x 6= y)
d := key(x)
assume(d = k)
b := T
r := x
x := n(x)
assume(x = y)
ϕ ≡ b=T⇒ key(r)=k
VC (ρ, ϕ)
T 6= F
∧ b1 = F
∧ x0 6= y0
∧ d1 = key(x0)
∧ d1 = k0
∧ b2 = T
∧ r1 = x0
∧ x1 = n(x0)
∧ x1 = y0
⇒ (b2 = T⇒ key(r1) = k0)
ϕ holds in every M in
which ρ is feasibleiff VC (ρ, ϕ) is valid in TEUF
9
![Page 24: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/24.jpg)
How do we verify a single execution?
Execution ρ
assume(T 6= F)
b := F
assume(x 6= y)
d := key(x)
assume(d = k)
b := T
r := x
x := n(x)
assume(x = y)
ϕ ≡ b=T⇒ key(r)=k
VC (ρ, ϕ)
T 6= F
∧ b1 = F
∧ x0 6= y0
∧ d1 = key(x0)
∧ d1 = k0
∧ b2 = T
∧ r1 = x0
∧ x1 = n(x0)
∧ x1 = y0
⇒ (b2 = T⇒ key(r1) = k0)
ϕ holds in every M in
which ρ is feasibleiff VC (ρ, ϕ) is valid in TEUF
9
![Page 25: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/25.jpg)
How do we verify a single execution?
• Verification of a single execution can be reduced to checking validity
of a quantifier-free formula in TEUF.
- Congruence closure algorithm
- Polynomial time when ϕ is a single atom.
• But programs have infinitely many executions.
• How do we recover decidability?
• Coherence to the rescue!
- Allows congruence closure to be performed in a streaming fashion.
10
![Page 26: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/26.jpg)
How do we verify a single execution?
• Verification of a single execution can be reduced to checking validity
of a quantifier-free formula in TEUF.
- Congruence closure algorithm
- Polynomial time when ϕ is a single atom.
• But programs have infinitely many executions.
• How do we recover decidability?
• Coherence to the rescue!
- Allows congruence closure to be performed in a streaming fashion.
10
![Page 27: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/27.jpg)
How do we verify a single execution?
• Verification of a single execution can be reduced to checking validity
of a quantifier-free formula in TEUF.
- Congruence closure algorithm
- Polynomial time when ϕ is a single atom.
• But programs have infinitely many executions.
• How do we recover decidability?
• Coherence to the rescue!
- Allows congruence closure to be performed in a streaming fashion.
10
![Page 28: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/28.jpg)
How do we verify a single execution?
• Verification of a single execution can be reduced to checking validity
of a quantifier-free formula in TEUF.
- Congruence closure algorithm
- Polynomial time when ϕ is a single atom.
• But programs have infinitely many executions.
• How do we recover decidability?
• Coherence to the rescue!
- Allows congruence closure to be performed in a streaming fashion.
10
![Page 29: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/29.jpg)
How do we verify a single execution?
• Verification of a single execution can be reduced to checking validity
of a quantifier-free formula in TEUF.
- Congruence closure algorithm
- Polynomial time when ϕ is a single atom.
• But programs have infinitely many executions.
• How do we recover decidability?
• Coherence to the rescue!
- Allows congruence closure to be performed in a streaming fashion.
10
![Page 30: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/30.jpg)
How do we verify a single execution?
• Verification of a single execution can be reduced to checking validity
of a quantifier-free formula in TEUF.
- Congruence closure algorithm
- Polynomial time when ϕ is a single atom.
• But programs have infinitely many executions.
• How do we recover decidability?
• Coherence to the rescue!
- Allows congruence closure to be performed in a streaming fashion.
10
![Page 31: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/31.jpg)
How do we verify a single execution?
• Verification of a single execution can be reduced to checking validity
of a quantifier-free formula in TEUF.
- Congruence closure algorithm
- Polynomial time when ϕ is a single atom.
• But programs have infinitely many executions.
• How do we recover decidability?
• Coherence to the rescue!
- Allows congruence closure to be performed in a streaming fashion.
10
![Page 32: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/32.jpg)
Congruence Closure
Congruence on Ground Terms
Let Σ = (C,F) be a FO-vocabulary. Let t1, t′1, t2, . . . , tk , t
′k be ground
terms on Σ and let f ∈ F be a k-ary function. Then,
t1 = t ′1 t2 = t ′2 . . . tk = t ′kf (t1, t2, . . . , tk) = f (t ′1, t
′2, . . . , t
′k)
Interpretation
In every FO structure M,
if Jt1KM = Jt ′1KM, Jt2KM = Jt ′2KM, . . . , and JtkKM = Jt ′kKMthen Jf (t1, t2, . . . , tk)KM = Jf (t ′1, t
′2, . . . , t
′k)KM
11
![Page 33: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/33.jpg)
Congruence Closure
Congruence on Ground Terms
Let Σ = (C,F) be a FO-vocabulary. Let t1, t′1, t2, . . . , tk , t
′k be ground
terms on Σ and let f ∈ F be a k-ary function. Then,
t1 = t ′1 t2 = t ′2 . . . tk = t ′kf (t1, t2, . . . , tk) = f (t ′1, t
′2, . . . , t
′k)
Interpretation
In every FO structure M,
if Jt1KM = Jt ′1KM, Jt2KM = Jt ′2KM, . . . , and JtkKM = Jt ′kKMthen Jf (t1, t2, . . . , tk)KM = Jf (t ′1, t
′2, . . . , t
′k)KM
11
![Page 34: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/34.jpg)
Congruence Closure on Executions
assume(x = y) x1 := f (x) y1 := f (y)
12
![Page 35: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/35.jpg)
Congruence Closure on Executions
Initially
x
x
y
y
assume(x = y) x1 := f (x) y1 := f (y)
12
![Page 36: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/36.jpg)
Congruence Closure on Executions
Initially
x
x
y
y
assume(x = y)
x
x
y
y
=
x1 := f (x) y1 := f (y)
12
![Page 37: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/37.jpg)
Congruence Closure on Executions
Initially
x
x
y
y
assume(x = y)
x
x
y
y
=
x1 := f (x)
x
x
y
y
=
f (x)
x1
y1 := f (y)
12
![Page 38: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/38.jpg)
Congruence Closure on Executions
Initially
x
x
y
y
assume(x = y)
x
x
y
y
=
x1 := f (x)
x
x
y
y
=
f (x)
x1
y1 := f (y)
x
x
y
y
=
f (x)
x1
f (y)
y1
12
![Page 39: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/39.jpg)
Congruence Closure on Executions
Initially
x
x
y
y
assume(x = y)
x
x
y
y
=
x1 := f (x)
x
x
y
y
=
f (x)
x1
y1 := f (y)
x
x
y
y
=
f (x)
x1
f (y)
y1
ϕ : x1 = y1
12
![Page 40: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/40.jpg)
Congruence Closure on Executions
Initially
x
x
y
y
assume(x = y)
x
x
y
y
=
x1 := f (x)
x
x
y
y
=
f (x)
x1
y1 := f (y)
x
x
y
y
=
f (x)
x1
f (y)
y1
ϕ : x1 = y1
=
ϕ holds
after the execution
12
![Page 41: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/41.jpg)
Congruence Closure on Executions
assume(x = y) x := f (x) x := f (x)
n times
y := f (y) y := f (y)
n times
13
![Page 42: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/42.jpg)
Congruence Closure on Executions
assume(x = y)
x
x
y
y
=
x := f (x) x := f (x)
n times
y := f (y) y := f (y)
n times
13
![Page 43: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/43.jpg)
Congruence Closure on Executions
assume(x = y)
x
x
y
y
=
x := f (x) x := f (x)
n times
x
y
y
=
f (x) f n(x)
x
y := f (y) y := f (y)
n times
13
![Page 44: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/44.jpg)
Congruence Closure on Executions
assume(x = y)
x
x
y
y
=
x := f (x) x := f (x)
n times
x
y
y
=
f (x) f n(x)
x
y := f (y) y := f (y)
n times
x
y
=
f (x) f n(x)
x
f (y) f n(y)
y
13
![Page 45: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/45.jpg)
Congruence Closure on Executions
assume(x = y)
x
x
y
y
=
x := f (x) x := f (x)
n times
x
y
y
=
f (x) f n(x)
x
y := f (y) y := f (y)
n times
x
y
=
f (x) f n(x)
x
f (y) f n(y)
y
ϕ : x = y
13
![Page 46: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/46.jpg)
Congruence Closure on Executions
assume(x = y)
x
x
y
y
=
x := f (x) x := f (x)
n times
x
y
y
=
f (x) f n(x)
x
y := f (y) y := f (y)
n times
x
y
=
f (x) f n(x)
x
f (y) f n(y)
y
ϕ : x = y
= =
ϕ holds
after the execution
13
![Page 47: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/47.jpg)
Congruence Closure on Executions
assume(x = y)
x
x
y
y
=
x := f (x) x := f (x)
n times
x
y
y
=
f (x) f n(x)
x
y := f (y) y := f (y)
n times
x
y
=
f (x) f n(x)
x
f (y) f n(y)
y
ϕ : x = y
= =
ϕ holds
after the execution
Unbounded memory required to infer equality relationships in a streaming
setting.
13
![Page 48: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/48.jpg)
Congruence Closure on Executions
x1 := f (x) y1 := f (y) x1 := f (x)
n times
y1 := f (y1) assume(x = y)
14
![Page 49: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/49.jpg)
Congruence Closure on Executions
x1 := f (x) y1 := f (y) x1 := f (x)
n times
y1 := f (y1)
x
x
y
y
f (x) f n(x)
x1
f (y) f n(y)
y1
assume(x = y)
14
![Page 50: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/50.jpg)
Congruence Closure on Executions
x1 := f (x) y1 := f (y) x1 := f (x)
n times
y1 := f (y1)
x
x
y
y
f (x) f n(x)
x1
f (y) f n(y)
y1
assume(x = y)
x
x
y
y
=
f (x) f n(x)
x1
f (y) f n(y)
y1
=
14
![Page 51: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/51.jpg)
Congruence Closure on Executions
x1 := f (x) y1 := f (y) x1 := f (x)
n times
y1 := f (y1)
x
x
y
y
f (x) f n(x)
x1
f (y) f n(y)
y1
assume(x = y)
x
x
y
y
=
f (x) f n(x)
x1
f (y) f n(y)
y1
=
ϕ : x1 = y1
14
![Page 52: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/52.jpg)
Congruence Closure on Executions
x1 := f (x) y1 := f (y) x1 := f (x)
n times
y1 := f (y1)
x
x
y
y
f (x) f n(x)
x1
f (y) f n(y)
y1
assume(x = y)
x
x
y
y
=
f (x) f n(x)
x1
f (y) f n(y)
y1
=
ϕ : x1 = y1
= =
ϕ holds
after the execution
14
![Page 53: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/53.jpg)
Congruence Closure on Executions
x1 := f (x) y1 := f (y) x1 := f (x)
n times
y1 := f (y1)
x
x
y
y
f (x) f n(x)
x1
f (y) f n(y)
y1
assume(x = y)
x
x
y
y
=
f (x) f n(x)
x1
f (y) f n(y)
y1
=
ϕ : x1 = y1
= =
ϕ holds
after the execution
Again, unbounded memory required to infer equality relationships in a
streaming setting.
14
![Page 54: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/54.jpg)
Algebraic View of Executions
Terms Computed
Term(ε, x) = x for every x ∈ V
Term(ρ · “x := y”, z) = Term(ρ, y) if z is x
Term(ρ · “x := f (z1, . . .)”, y) = f (Term(ρ, z1), . . .) if y is x
Term(ρ · a, x) = Term(ρ, x) otherwise
Equalities
α(ε) = ∅
α(ρ · “assume(x = y)”) = α(ρ) ∪ {(Term(ρ, x),Term(ρ, y))}α(ρ · a) = α(ρ) otherwise
Disequalities
β(ε) = ∅
β(ρ · “assume(x 6= y)”) = β(ρ) ∪ {(Term(ρ, x),Term(ρ, y))}β(ρ · a) = β(ρ) otherwise
15
![Page 55: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/55.jpg)
Algebraic View of Executions
Terms Computed
Term(ε, x) = x for every x ∈ V
Term(ρ · “x := y”, z) = Term(ρ, y) if z is x
Term(ρ · “x := f (z1, . . .)”, y) = f (Term(ρ, z1), . . .) if y is x
Term(ρ · a, x) = Term(ρ, x) otherwise
Equalities
α(ε) = ∅
α(ρ · “assume(x = y)”) = α(ρ) ∪ {(Term(ρ, x),Term(ρ, y))}α(ρ · a) = α(ρ) otherwise
Disequalities
β(ε) = ∅
β(ρ · “assume(x 6= y)”) = β(ρ) ∪ {(Term(ρ, x),Term(ρ, y))}β(ρ · a) = β(ρ) otherwise
15
![Page 56: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/56.jpg)
Algebraic View of Executions
Terms Computed
Term(ε, x) = x for every x ∈ V
Term(ρ · “x := y”, z) = Term(ρ, y) if z is x
Term(ρ · “x := f (z1, . . .)”, y) = f (Term(ρ, z1), . . .) if y is x
Term(ρ · a, x) = Term(ρ, x) otherwise
Equalities
α(ε) = ∅
α(ρ · “assume(x = y)”) = α(ρ) ∪ {(Term(ρ, x),Term(ρ, y))}α(ρ · a) = α(ρ) otherwise
Disequalities
β(ε) = ∅
β(ρ · “assume(x 6= y)”) = β(ρ) ∪ {(Term(ρ, x),Term(ρ, y))}β(ρ · a) = β(ρ) otherwise
15
![Page 57: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/57.jpg)
Coherence
An execution is coherent if it is memoizing and has early assumes.
Coherence = Memoizing + Early Assumes
16
![Page 58: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/58.jpg)
Coherence
An execution is coherent if it is memoizing and has early assumes.
Coherence = Memoizing + Early Assumes
Remember terms
until re-computation
Equality assumes
occur before
superterms are forgotten
16
![Page 59: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/59.jpg)
Coherence: Memoizing
Definition (Memoizing Execution)
An execution ρ is memoizing if for every prefix of ρ of the form
σ′ = σ · “x := f (y1, . . . , yr )”
we have the following.
If there is a term t ∈ ComputedTerms(σ) such that t ∼=α(σ) Term(σ′, x),
then there is a variable z ∈ V such that Term(σ, z) ∼=α(σ) Term(σ′, x).
Here,
• ComputedTerms(σ) = {Term(π, v) | v ∈ V , π is a prefix of σ},• ∼=α(ρ) is the smallest congruence induced by α(ρ).
17
![Page 60: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/60.jpg)
Coherence: Memoizing
assume (T 6= F);
b := F;
while (x 6= y) {d := key(x);
if (d = k) then {b := T;
r := x;
}x := n(x);
}
• All executions of this program
are vacuously memoizing.
• No term is recomputed.
18
![Page 61: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/61.jpg)
Example exeuction: Non Memoizing
assume(x = y)
x
x
y
y
=
x := f (x) x := f (x)
n times
x
y
y
=
f (x) f n(x)
x
y := f (y) y := f (y)
n times
x
y
=
f (x) f n(x)
x
f (y) f n(y)
y
Re-computation of terms deemed
equivalent by x = y .
The older term f (x) has been dropped.
NOT a memoizing execution
19
![Page 62: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/62.jpg)
Example exeuction: Memoizing
assume(x = y) x := f (x) y := f (y) x := f (x)
n times
y := f (y)
Re-computation happens in tandem
(at least one older equivalent terms is available
in some variable at the time of re-computation)
X memoizing execution
20
![Page 63: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/63.jpg)
Coherence: Early Assumes
Definition (Early Assumes)
An execution ρ is said to have early assumes if for every prefix of ρ of the
form
σ′ = σ · “assume(x = y)”
we have the following.
If there is a term s ∈ ComputedTerms(σ) such that s is a
α(σ)-superterm of either Term(σ, x) or Term(σ, y), then there is a
variable z ∈ V such that Term(σ, z) ∼=α(σ) s.
Here, t1 is a α(σ)-superterm of t2 if there are terms t ′1 and t ′2 such that
t ′1 is a superterm of t ′2, t1∼=α(σ) t
′1 and t2
∼=α(σ) t′2.
21
![Page 64: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/64.jpg)
Example exeuction: Violation of Early Assumes
x1 := f (x) y1 := f (y) x1 := f (x)
n times
y1 := f (y1)
x
x
y
y
f (x) f n(x)
x1
f (y) f n(y)
y1
assume(x = y)
Superterms of x and y
dropped before equality assume.
Does NOT satisfy early assumes
22
![Page 65: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/65.jpg)
Example exeuction: Early Assumes
assume(x = y) x := f (x) y := f (y) x := f (x)
n times
y := f (y)
X Early Assume
23
![Page 66: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/66.jpg)
Coherence
assume (T 6= F);
b := F;
while (x 6= y) {d := key(x);
if (d = k) then {b := T;
r := x;
}x := n(x);
}
• In every execution, equality
assume assume(x = y) occurs
on terms without any
superterms.
• All executions are coherent!
24
![Page 67: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/67.jpg)
Coherent Programs and their Verification
An uninterpreted program P ∈ 〈stmt〉 is coherent if all executions of P
are coherent.
Decidability of Verification of Coherent Programs [1]
Verification of uninterpreted coherent programs is PSPACE-complete.
Proof.
• Regular language Lϕcoherent such that for any coherent execution ρ,
ρ ∈ Lϕcoherent iff ρ |= ϕ
• The question Exec(P) ⊆ Lϕcoherent is decidable.
25
![Page 68: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/68.jpg)
Coherent Programs and their Verification
An uninterpreted program P ∈ 〈stmt〉 is coherent if all executions of P
are coherent.
Decidability of Verification of Coherent Programs [1]
Verification of uninterpreted coherent programs is PSPACE-complete.
Proof.
• Regular language Lϕcoherent such that for any coherent execution ρ,
ρ ∈ Lϕcoherent iff ρ |= ϕ
• The question Exec(P) ⊆ Lϕcoherent is decidable.
25
![Page 69: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/69.jpg)
Regularity of Feasible Coherent Executions
• P |= ϕ iff P¬ϕ |= false, where P¬ϕ = P; assume(¬ϕ)
• Regular language Lcoh-feas such that for any coherent execution ρ,
ρ ∈ Lcoh-feas iff ρ is feasible in some FO-structure M
• P |= ϕ iff Exec(P¬ϕ) ∩ Lcoh-feas = ∅
26
![Page 70: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/70.jpg)
Streaming Congruence Closure
• Acoh-feas = (Q ] {qreject}, q0, δ) with L(Acoh-feas) = Lcoh-feas.
• All states in Q are accepting.
• qreject is absorbing reject state, represents an infeasible execution.
• States in Q are triplets:
(∼, d , F )
Equivalence
on variables
[x1, x3]
[x2, x4, x5]...
Disequalities b/w
eq. classes
[x1, x3] 6= [x6]...
Partial func.
relationships b/w
eq. classes
f ([x1, x3]) = [x2, x4, x5]...
27
![Page 71: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/71.jpg)
Streaming Congruence Closure
Transitions δ update these relationships in a streaming fashion.
x1 = f (x)
x y
x1 y1
f
y1 = f (y)
x y
x1 y1
f f
assume(x = y)
x y
x1 y1
f f
Congruence Closure
assume(x 6= y)
qreject
28
![Page 72: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/72.jpg)
Streaming Congruence Closure
Transitions δ update these relationships in a streaming fashion.
x1 = f (x)
x y
x1 y1
f
y1 = f (y)
x y
x1 y1
f f
assume(x = y)
x y
x1 y1
f f
Congruence Closure
assume(x 6= y)
qreject
28
![Page 73: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/73.jpg)
Streaming Congruence Closure
Transitions δ update these relationships in a streaming fashion.
x1 = f (x)
x y
x1 y1
f
y1 = f (y)
x y
x1 y1
f f
assume(x = y)
x y
x1 y1
f f
Congruence Closure
assume(x 6= y)
qreject
28
![Page 74: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/74.jpg)
Streaming Congruence Closure
Transitions δ update these relationships in a streaming fashion.
x1 = f (x)
x y
x1 y1
f
y1 = f (y)
x y
x1 y1
f f
assume(x = y)
x y
x1 y1
f f
Congruence Closure
assume(x 6= y)
qreject
28
![Page 75: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/75.jpg)
Streaming Congruence Closure
Transitions δ update these relationships in a streaming fashion.
x1 = f (x)
x y
x1 y1
f
y1 = f (y)
x y
x1 y1
f f
assume(x = y)
x y
x1 y1
f f
Congruence Closure
assume(x 6= y)
qreject
28
![Page 76: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/76.jpg)
Streaming Congruence Closure
Correctness of Acoh-feas
Let ρ ∈ Π∗ be a coherent execution. Let q = δ∗(q0, ρ). Then,
• If ρ is not feasible in any M, then q = qreject
• Otherwise, q = (∼, d ,P) with
− Term(ρ, x) ∼=α(ρ) Term(ρ, y) iff [x ]∼ = [y ]∼.
− ([x ]∼, [y ]∼) ∈ d iff there is (tx , ty ) ∈ β(ρ) such that
tx ∼=α(ρ) Term(ρ, x) and ty ∼=α(ρ) Term(ρ, y).
− f (Term(ρ, x)) ∼=α(ρ) Term(ρ, y) iff F (f )([x ]∼) = [y ]∼
29
![Page 77: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/77.jpg)
Checking Coherence
Decidability of Checking Coherence [1]
There is a DFA Acheck-coh such that for an execution ρ ∈ Π∗, we have
ρ ∈ L(Acheck-coh) iff ρ is coherent
• Acheck-coh ignores all letters of the form “assume(x 6= y)”.
• States of Acheck-coh maintain (∼,F ,B):
• ∼ and F are as in Acoh-feas
• B keeps track of the following information: for a given equiv. class c
and for a function f , if f (c) has been computed before.
30
![Page 78: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/78.jpg)
Checking Coherence
Decidability of Checking Coherence [1]
There is a DFA Acheck-coh such that for an execution ρ ∈ Π∗, we have
ρ ∈ L(Acheck-coh) iff ρ is coherent
• Acheck-coh ignores all letters of the form “assume(x 6= y)”.
• States of Acheck-coh maintain (∼,F ,B):
• ∼ and F are as in Acoh-feas
• B keeps track of the following information: for a given equiv. class c
and for a function f , if f (c) has been computed before.
30
![Page 79: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/79.jpg)
k-Coherence
![Page 80: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/80.jpg)
k-Coherence
assume (x 6= z);
y := n(x);
assume (y 6= z);
y := n(y);
while (y 6= z) {x := n(x);
y := n(y);
}
ϕ ≡ z = n(n(x))
31
![Page 81: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/81.jpg)
k-Coherence
assume (x 6= z);
y := n(x);
assume (y 6= z);
y := n(y);
while (y 6= z) {x := n(x);
y := n(y);
}
ϕ ≡ z = n(n(x))
n(x)
n(n(x))
NOT coherent
• Re-computation without storing
prior equivalent terms.
• Insufficient number of program
variables to store intermediate
terms.
31
![Page 82: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/82.jpg)
k-Coherence
assume (x 6= z);
y := n(x);
assume (y 6= z);
y := n(y);
while (y 6= z) {x := n(x);
y := n(y);
}
ϕ ≡ z = n(n(x))
g := y;
g := y;
1-coherent
• Can be made coherent.
• By adding additional ghost
variables and assignments to
them.
• Write-only and do not change
semantics.
31
![Page 83: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/83.jpg)
k-Coherence
Definition (k-Coherent Executions and Programs)
Let k ∈ N. Let V be a set of variables and let G = {g1, . . . , gk} be
additional ghost variables (V ∩ G = ∅).
Let ΠG = Π ∪ {“g := x” | g ∈ G , x ∈ V }.An execution over V is k-coherent if there is an execution ρ′ over ΠG
such that ρ′ is coherent and ρ′�Π= ρ.
A programs is k-coherent if all its executions are.
Theorem [1]
Checking k-coherence is decidable in PSPACE. Further, verification of
k-coherent programs is decidable in PSPACE.
32
![Page 84: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/84.jpg)
k-Coherence
Definition (k-Coherent Executions and Programs)
Let k ∈ N. Let V be a set of variables and let G = {g1, . . . , gk} be
additional ghost variables (V ∩ G = ∅).
Let ΠG = Π ∪ {“g := x” | g ∈ G , x ∈ V }.An execution over V is k-coherent if there is an execution ρ′ over ΠG
such that ρ′ is coherent and ρ′�Π= ρ.
A programs is k-coherent if all its executions are.
Theorem [1]
Checking k-coherence is decidable in PSPACE. Further, verification of
k-coherent programs is decidable in PSPACE.
32
![Page 85: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/85.jpg)
Verification Modulo Theories
![Page 86: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/86.jpg)
Adding Interpretations
assume (T 6= F);
if (a ≤ b) then {if (a ≤ c) then
min := a;
else min := c;
}else {
if (b ≤ c) then
min := b;
else min := c;
}
ϕ ≡ min ≤ a ∧ min ≤ b
∧ min ≤ c
Find the minimum of a, b and c
33
![Page 87: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/87.jpg)
Adding Interpretations
assume (T 6= F);
if (a ≤ b) then {if (a ≤ c) then
min := a;
else min := c;
}else {
if (b ≤ c) then
min := b;
else min := c;
}
ϕ ≡ min ≤ a ∧ min ≤ b
∧ min ≤ c
Find the minimum of a, b and c
Does not
hold in
all M.
33
![Page 88: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/88.jpg)
Adding Interpretations
assume (T 6= F);
if (a ≤ b) then {if (a ≤ c) then
min := a;
else min := c;
}else {
if (b ≤ c) then
min := b;
else min := c;
}
ϕ ≡ min ≤ a ∧ min ≤ b
∧ min ≤ c
Find the minimum of a, b and c
Does not
hold in
all M.
a
a
b
b
c
c
a ≤ b
b ≤ c
c ≤ a
33
![Page 89: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/89.jpg)
Adding Interpretations
assume (T 6= F);
if (a ≤ b) then {if (a ≤ c) then
min := a;
else min := c;
}else {
if (b ≤ c) then
min := b;
else min := c;
}
ϕ ≡ min ≤ a ∧ min ≤ b
∧ min ≤ c
Find the minimum of a, b and c
This program satisfies ϕ if ≤ is
interpreted as a total order:
• ∀x · x ≤ x
• ∀x , y , z ·x ≤ y ∧y ≤ z =⇒ x ≤ z
• ∀x , y · x ≤ y ∧ y ≤ x =⇒ x = y
33
![Page 90: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/90.jpg)
Adding Interpretations
Definition (Verification Modulo Axioms)
Let P ∈ 〈stmt〉 be an uninterpreted program over vocabulary Σ. Let A be
a set of first order sentences over Σ and let ϕ be an assertion in the
following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ modulo A iff for every execution ρ ∈ Exec(P) and for every FO
structure M such that M |= A and ρ is feasible in M, M satisfies
ϕ[valM(ρ,V )/V ].
34
![Page 91: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/91.jpg)
Adding Interpretations
Definition (Verification Modulo Axioms)
Let P ∈ 〈stmt〉 be an uninterpreted program over vocabulary Σ. Let A be
a set of first order sentences over Σ and let ϕ be an assertion in the
following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ modulo A
iff for every execution ρ ∈ Exec(P) and for every FO
structure M such that M |= A and ρ is feasible in M, M satisfies
ϕ[valM(ρ,V )/V ].
34
![Page 92: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/92.jpg)
Adding Interpretations
Definition (Verification Modulo Axioms)
Let P ∈ 〈stmt〉 be an uninterpreted program over vocabulary Σ. Let A be
a set of first order sentences over Σ and let ϕ be an assertion in the
following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ modulo A iff for every execution ρ ∈ Exec(P)
and for every FO
structure M such that M |= A and ρ is feasible in M, M satisfies
ϕ[valM(ρ,V )/V ].
34
![Page 93: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/93.jpg)
Adding Interpretations
Definition (Verification Modulo Axioms)
Let P ∈ 〈stmt〉 be an uninterpreted program over vocabulary Σ. Let A be
a set of first order sentences over Σ and let ϕ be an assertion in the
following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ modulo A iff for every execution ρ ∈ Exec(P) and for every FO
structure M such that M |= A and ρ is feasible in M,
M satisfies
ϕ[valM(ρ,V )/V ].
34
![Page 94: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/94.jpg)
Adding Interpretations
Definition (Verification Modulo Axioms)
Let P ∈ 〈stmt〉 be an uninterpreted program over vocabulary Σ. Let A be
a set of first order sentences over Σ and let ϕ be an assertion in the
following grammar.
ϕ ::= true | x = y | R(z) | ϕ ∨ ϕ | ¬ϕ
P |= ϕ modulo A iff for every execution ρ ∈ Exec(P) and for every FO
structure M such that M |= A and ρ is feasible in M, M satisfies
ϕ[valM(ρ,V )/V ].
34
![Page 95: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/95.jpg)
Coherence Modulo Axioms
Coherence
modulo axioms=
Memoizing
modulo axioms+
Early Assumes
modulo axioms
35
![Page 96: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/96.jpg)
Example
A = {∀x , y ·f (x , y) = f (y , x)}
x1 := f (x , y) y1 := f (y , x)re-computation
modulo A
x1 := f (x , y) y1 := f (y , x ′) z := g(x1) z ′ := g(y1) assume(x = x ′)
Implied equality
z = z ′
36
![Page 97: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/97.jpg)
Example
A = {∀x , y ·f (x , y) = f (y , x)}
x1 := f (x , y) y1 := f (y , x)
re-computation
modulo A
x1 := f (x , y) y1 := f (y , x ′) z := g(x1) z ′ := g(y1) assume(x = x ′)
Implied equality
z = z ′
36
![Page 98: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/98.jpg)
Example
A = {∀x , y ·f (x , y) = f (y , x)}
x1 := f (x , y) y1 := f (y , x)re-computation
modulo A
x1 := f (x , y) y1 := f (y , x ′) z := g(x1) z ′ := g(y1) assume(x = x ′)
Implied equality
z = z ′
36
![Page 99: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/99.jpg)
Example
A = {∀x , y ·f (x , y) = f (y , x)}
x1 := f (x , y) y1 := f (y , x)re-computation
modulo A
x1 := f (x , y) y1 := f (y , x ′) z := g(x1) z ′ := g(y1) assume(x = x ′)
Implied equality
z = z ′
36
![Page 100: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/100.jpg)
Example
A = {∀x , y ·f (x , y) = f (y , x)}
x1 := f (x , y) y1 := f (y , x)re-computation
modulo A
x1 := f (x , y) y1 := f (y , x ′) z := g(x1) z ′ := g(y1) assume(x = x ′)
Implied equality
z = z ′
36
![Page 101: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/101.jpg)
Memoizing Modulo Axioms
Definition (Memoizing modulo axioms)
Let A be a set of axioms and let ρ ∈ Π∗ be an execution. Then, ρ is said
to be memoizing modulo A if the following holds.
Let σ′ = σ · “x :=f (z)” be a prefix of ρ. If there is a term
t ′ ∈ ComputedTerms(σ) such that t ′ ∼=A∪κ(σ) Term(σ′, x), then there
must exist some variable y ∈ V such that Term(σ, y) ∼=A∪κ(σ) t.
Here,
κ(ε) = ∅
κ(ρ · “assume(x = y)”) = κ(ρ) ∪ {(Term(ρ, x) = Term(ρ, y))}κ(ρ · “assume(x 6= y)”) = κ(ρ) ∪ {(Term(ρ, x) 6= Term(ρ, y))}
κ(ρ · “R(z1, . . .)”) = κ(ρ) ∪ {R(Term(ρ, z1), . . .)}κ(ρ · a) = κ(ρ) otherwise
37
![Page 102: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/102.jpg)
Memoizing Modulo Axioms
Definition (Memoizing modulo axioms)
Let A be a set of axioms and let ρ ∈ Π∗ be an execution. Then, ρ is said
to be memoizing modulo A if the following holds.
Let σ′ = σ · “x :=f (z)” be a prefix of ρ. If there is a term
t ′ ∈ ComputedTerms(σ) such that t ′ ∼=A∪κ(σ) Term(σ′, x), then there
must exist some variable y ∈ V such that Term(σ, y) ∼=A∪κ(σ) t.
Here,
κ(ε) = ∅
κ(ρ · “assume(x = y)”) = κ(ρ) ∪ {(Term(ρ, x) = Term(ρ, y))}κ(ρ · “assume(x 6= y)”) = κ(ρ) ∪ {(Term(ρ, x) 6= Term(ρ, y))}
κ(ρ · “R(z1, . . .)”) = κ(ρ) ∪ {R(Term(ρ, z1), . . .)}κ(ρ · a) = κ(ρ) otherwise
37
![Page 103: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/103.jpg)
Early Assumes Modulo Axioms
Definition (Early assumes modulo axioms)
Let A be a set of axioms and let ρ ∈ Π∗ be an execution. Then, ρ is said
to have early assumes modulo A if the following holds.
Let σ′ = σ · “assume(c)” be a prefix of ρ, where c is any of x =y , x 6=y ,
R(z), or ¬R(z).
Let t ∈ ComputedTerms(σ) be a term computed in σ such that t has
been dropped, i.e., for every x ∈ V , we have Term(σ, x)�A∪κ(σ)t.
For any term t ′ ∈ ComputedTerms(σ), if t ∼=A∪κ(σ′) t′, then t ∼=A∪κ(σ) t
′.
38
![Page 104: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/104.jpg)
Verification Modulo Axioms - Decidability Landscape [2]
Relational axioms Decidability
EPR 7
Reflexivity 3
Irreflexivity 3
Symmetry 3
Transitivity 3
Partial Order 3
Total Order 3
Functional axioms Decidability
Associativity 7
Commutativity 3
Idempotence 3
Combinations Decidability
All combinations
of decidable
axioms
3
39
![Page 105: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/105.jpg)
Thank You!
39
![Page 106: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/106.jpg)
Coherence Modulo Commutativity
Homomorphism hfcomm uses auxiliary variable v∗ 6∈ V :
hfcomm(a) =
{a · “v∗ := f (y , x)” · “assume(z = v∗)” if a = “z := f (x , y)”
a otherwise
Coherence Modulo Commutativity
An execution ρ is coherent modulo A iff hfcomm(a) is coherent modulo ∅.
Feasibility Modulo Commutativity
An execution ρ is feasible modulo A iff hfcomm(a) is feasible modulo ∅.
![Page 107: Verification of Uninterpreted and Partially Interpreted ...vicaryjo/owls/slides/umang.pdf · Umang Mathur Joint work with Madhusudan Parthasarathy and Mahesh Viswanathan University](https://reader036.vdocuments.net/reader036/viewer/2022062607/60570ae495c3c36e365c6608/html5/thumbnails/107.jpg)
References I
U. Mathur, P. Madhusudan, and M. Viswanathan.
Decidable verification of uninterpreted programs.
Proc. ACM Program. Lang., 3(POPL), Jan. 2019.
U. Mathur, P. Madhusudan, and M. Viswanathan.
What’s decidable about program verification modulo axioms?
In A. Biere and D. Parker, editors, Tools and Algorithms for the
Construction and Analysis of Systems, pages 158–177, Cham, 2020.
Springer International Publishing.
M. Muller-Olm, O. Ruthing, and H. Seidl.
Checking herbrand equalities and beyond.
In R. Cousot, editor, Verification, Model Checking, and Abstract
Interpretation, pages 79–96, Berlin, Heidelberg, 2005. Springer
Berlin Heidelberg.