Validity Checking with If-then-else Expressions Modulo Rich ... - Verimag

Validity checking with if-then-else expressions modulo rich first-order theories Silvio Ranise and David D´eharbe∗• LORIA/CASSIS & INRIA-Lorraine Nancy, France {deharbe, ranise}@loria.fr http://www.loria.fr/˜ranise http://www.loria.fr/˜deharbe ∗: UFRN/DIMAp – Natal, Brazil • Partially supported by CAPES grant BEX0006/02-5.

March 05, 2003 JSIVQP’03

S. Ranise and D. D´eharbe

March 05, 2003

Background

• Decision procedures are embedded in many theorem provers to accelerate proofs (SVC, CVC, Simplify, Acl2, PVS, HOL, Coq, Acl2, RDL, ...)

• Problem: decision procedures are designed and/or incorporated by ad-hoc means (most of the times) design . difficulties in proving correctness incorporation . difficulties in combining with other decision procedures1 and reasoning activities2 1 2

Shostak combination schema docet! such as handling the boolean structure and instantiating quantifiers

– Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 1 >


March 05, 2003

What • Eliminating trivial subgoals represented as sequents modulo a background theory T

• In many cases, this can be reduced to satisfiability checking, i.e. proving the unsatisfiability of conjunctions of ground literals modulo T , by standard techniques Example . E is the quantifier-free theory of equality. 5

3

E |= f (c) = c, f (c) = c ⇒ f (c) = c

can be reduced to checking the E-unsatisfiability of 5

3

f (c) = c ∧ f (c) = c ∧ f (c) 6= c


< 2 >


March 05, 2003

Who & How

Approach

Propositional

First-Order

Efficiency

Flexibility

naive Simplify SVC CVC, ICS UCLID, EVC, sep

DNF DNF + splitting ITE + splitting SAT + lemmas SAT

anything NO. coop. DPs Sh. coop. DPs Sh. coop. DPs reduction

hopeless +/– + ++ ++

++ + + – –

Our goal: maintain efficiency while augmenting flexibility Approach haRVey

Propositional BDD + pruning

First-Order Superposition

Efficiency ++


Flexibility +++

< 3 >


March 05, 2003

Difficulties to overcome

• Sometimes, checking the satisfiability of ground literals is not enough . the capability of finding suitable instantiations of existentially quantified variables is required

• Handling user-defined symbols commonly used to structure specifications . no satisfactory solution but mixture of manual unfolding and validity checking

• Simplify features a heuristic matching mechanism to instantiate variables but... too heuristic =⇒ lack of “precision” (false negatives)


< 4 >


March 05, 2003

Plan of the talk

• Satisfiability checking of conjunctions of ground literals (superposition) • Extension to arbitrary boolean combinations of ground literals (BDDs) • Pruning (efficiency) • Extension to non-ground formulae (flexibility) • Applications • On-going and future work


< 5 >


March 05, 2003

Plan of the Talk

• Satisfiability checking of conjunctions of ground literals • Extension to arbitrary boolean combination of ground literals • Pruning • Extension to non-ground formulae • Applications • On-going and future work


< 6 >


March 05, 2003

A Rewriting Approach to Satisfiability Procedures [Armando, Ranise & Rusinowitch, IC’03]

• Idea: pick a superposition calculus off-the-shelf and show that it can be used as a satisfiability procedure for the theory3 of interest

• Generality: the approach works for a wide class of theories, e.g. . quantifier-free theory of equality . (variants of) theory of lists . theory of arrays and sets with/without extensionality . combination of arrays and lists 3

whose satisfiability problem is decidable and which is presented by a finite set of clauses


< 7 >


March 05, 2003

A Rewriting Approach to Satisfiability Procedures—I

• Given . a set S of ground literals . a clausal presentation Ax(T ) of a theory T extending E 4 • We want to derive . a procedure capable of establishing whether S is T -satisfiable5

4 5

Ax(T ) is not restricted to equations! i.e. S ∪ T is satisfiable


< 8 >


March 05, 2003

A Rewriting Approach to Satisfiability Procedures—II

• The recipe . Flatten the input set S of ground literals to obtain S 0 . Use a refutation complete superposition inference system and prove termination for S 0 ∪ Ax(T ), for all set of ground flat literals S 0

• Features . uniform6 and simple7 . easy to implement... take a state-of-the-art saturation theorem prover 6 7

it works for theories which are important in verification based on the rewriting framework, which is well-understood


< 9 >


March 05, 2003

A Rewriting Approach to Satisfiability Procedures—III

• flattening = add “fresh” constants to name subterms Example . {f (c, c0) = h(h(a)), h(h(h(a))) 6= a} is flattened to {f (c, c0) = c2, c3 6= a} ∪ {c1 = h(a), c3 = h(c2), c2 = h(c1)} Fact 1. Let S be a finite set of Σ-literals. Then there exists a finite set of flat Σ0-literals S 0 s.t. S 0 is T -satisfiable iff S is.8

• Termination proofs in the second step are substantially easier9 Σ0 is obtained from Σ by adding a finite number of constants 9 easier to reason about superpositions when depth of terms ≤ 1 8


< 10 >


March 05, 2003

A Rewriting Approach to Satisfiability Procedures—IV The Superposition Calculus: Inference Rules Name Sup. Par. Ref. Fac.

Rule Γ → ∆, l[u0] = r Π → Σ, u = v Γ, Π → ∆, Σ, l[v] = r Γ, l[u0] = r → ∆ Π → Σ, u = v l[v] = r, Γ, Π → ∆, Σ Γ, u0 = u → ∆ Γ→∆ Γ → ∆, u = t, u0 = t0 Γ, t = t0 → ∆, u0 = t0

Conditions u 6 v, l[u0] 6 r, ∗ u 6 v, l[u0] 6 r, ∗ (u0 = u) 6≺ (Γ ∪ ∆) u 6 t, u 6 Γ, (u = t) 6≺ {u0 = t0} ∪ ∆

∗ (u = v) 6 (Π ∪ Σ), (l[u0] = r) 6≺ (Γ ∪ ∆) ∗∗ σ = mgu(u, u0) implicitly applied to consequents and conditions – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 11 >


March 05, 2003

A Rewriting Approach to Satisfiability Procedures—V The Superposition Calculus: Simplification Rules

Name Subsumption

Rule S ∪ {C, C 0} S ∪ {C}

Simplification

S ∪ {C[θ(l)], l = r} S ∪ {C[θ(r)], l = r}

Deletion

S ∪ {Γ → ∆, t = t} S

Conditions for some θ, θ(C) ⊆ C 0, and for no ρ, ρ(C 0) = C θ(l) θ(r), C[θ(l)] (θ(l) = θ(r))


< 12 >


March 05, 2003

A Rewriting Approach to Satisfiability Procedures—VI The Superposition Calculus: Details • Reduction Ordering total on ground terms and s.t. f (c1, . . . , cn) c0, for each n-ary function symbol f and constants c1, ..., cn (n ≥ 1)

. (a = b) e (c = d) iff {a, b} {c, d}10, clauses (i.e. multisets of literals) are compared by the multiset extension of e

• Refutation complete = any fair application of the rules to an unsatisfiable set of clauses will derive the empty clause

• Saturation of a set of clauses is the final set of clauses generated by a fair derivation using the rules with higher priority given to the simplification rules 10

is the multiset extension of on terms


< 13 >


March 05, 2003

A Rewriting Approach to Satisfiability Procedures—VII A Satisfiability Procedure for the theory A of Arrays • Finite presentation Ax(A) :=

read(write(A, I, E), I) = E I 6= J ⇒ read(write(A, I, E), J) = read(A, J)

• Intuition i1 i read( 2 i3 i4

: : : :

e1 e2 , i2) = e2 e3 e4

i1 i write( 2 i3 i4

: : : :

e1 e2 , i2, e02) = e3 e4


i1 i2 i3 i4

: : : :

e1 e02 e3 e4

< 14 >


March 05, 2003

Lemma 1. Let S be a finite set of flat literals. The clauses occurring in the saturations of S ∪ Ax(A) by SP can only be: i) the empty clause;

ii) axioms

iii) ground flat literals

iv) clauses of type t ./ t0 ∨ c1 = c01 ∨ · · · ∨ cn = c0n with t ./ t0 ∈ {c 6= c0, read(c, i) = c0, read(c, i) = read(c0, i0)} v) clauses of type read(c, x) = read(c0, x) ∨ c1 = k1 ∨ · · · ∨ cn = kn, where ki is either x or ci.11

Proof . simple induction on the length of derivations =⇒ saturations of S ∪ Ax(A) are finite Theorem 1. SP is a satisfiability procedure for A. n2 12

Remark . coarse grained complexity result O(2 )

i, c, c0 , c1 , c01 , . . . , cn , c0n are constants, and x is a variable 12 the satisfiability problem for A is “only” O(2n ) [Downey & Sethi, JACM 25(4)] 11


< 15 >


March 05, 2003

Plan of the Talk



< 16 >


March 05, 2003

Arbitrary combination of ground literals—I Starting with a naive approach:

• to show that a ground formula ϕ is T -valid: . put ¬ϕ into DNF: {Si | i = 1, ..., n} . if there exists j ∈ {1, ..., n} s.t. Sj is T -satisfiable, then ϕ is not T -valid and Sj is a “counter-example”

. if for all i = 1, ..., n Si is T -unsatisfiable, then ϕ is T -valid • Ideas: (1) abstract atoms to propositional vars, (2) use BDDs to represent DNFs, (3) check T -satisfiability by saturation – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 17 >


March 05, 2003

Arbitrary combination of ground literals—II

• Reduced Ordered Binary Decision Diagrams (BDDs) provide an efficient data structure for propositional reasoning.

• The BDD of a formula f (x1, x2 . . . xn) can be viewed as Shannon’s expansion: [x1 ∧ f (>, x2 . . . xn)] ∨ [¬x1 ∧ f (⊥, x2 . . . xn)]. x1 −

f (⊥, x2 . . . xn)

+

@

@ @ @ R @

f (>, x2 . . . xn)


< 18 >


March 05, 2003

Arbitrary combination of ground literals—III

• Reduced: no distinct isomorphic subtrees • Ordered: variables appear on a given order from root to leaves • BDDs are canonical (for propositional logic): . a formula is valid iff its BDD is the same as the BDD for > . a formula is satisfiable iff it is different from the BDD for ⊥: each branch from a root to the > leaf is a satisfiable valuation

. no search!


< 19 >


March 05, 2003

Arbitrary combination of ground literals—IV • BDDs are no more canonical for first-order logic Example . ite(x = y, ite(p(x), ite(p(y), ⊥, >), >) p(x)) Notice: the >-branch x = y ∧ p(x) ∧ ¬p(y) is not E-satisfiable

• Search for T -satisfiable branches (= conjunctions of ground literals) . check branches for T -(un)satisfiability by superposition – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 20 >


March 05, 2003

Arbitrary combination of ground literals—V

function search satisfiable (T: theory; φ: formula) while φ 6= ⊥ do β ←− branch(φ) ρ ←− saturate(T, β) if [] ∈ / ρ then return (yes, β) φ ←− φ ∧ ¬β done return (no, −) end

• Unfortunately, inefficient because of exhaustive search (exponentially many branches) – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 21 >


March 05, 2003

Plan of the talk



< 22 >


March 05, 2003

Pruning—I • Avoid repeated T -satisfiability checking of “similar” branches Intuition . many branches in the BDD with the same prefix containing the literals which are “responsible” for the T -unsatisfiability

• S1 and S2 are “similar” if there exists S s.t. S ⊂ S1, S ⊂ S2, and the T -unsatisfiability of S entails the T -unsatisfiability of S1 and S2

. the problem of determining the smallest set S is NP-complete . in practice: S is (heuristically) “small” • modify saturate to return also the proof of the empty clause . the proof will contain S, (usually) a subset of the branch β – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 23 >


March 05, 2003

Pruning—II

Pruning subsumed branches

• Let π be the saturation proof showing that the branch β is T -unsatisfiable;

• Let hypothesis(π) be the set of all the literals in π belonging to the branch β;

• Then hypothesis(π) is T -unsatisfiable, and ¬hypothesis(π) is T -satisfiable.


< 24 >


March 05, 2003

Pruning—III

function search satisfiable (T: theory; φ: formula) while φ 6= ⊥ do β ←− branch(φ) (ρ, π)←− saturate(T, β) if [ ] ∈ / ρ then return (yes, β) φ ←− φ ∧ ¬hypothesis(π) done return (no, −) end


< 25 >


March 05, 2003

haRVey—I

These techniques have been implemented in haRVey:

• it uses: . CWI’s ATerm library . Schulz E-prover . David Long’s BDD library • available on the Web at http://www.loria.fr/equipes/cassis/softwares/haRVey


< 26 >


March 05, 2003

haRVey—II

• Input: hAx(T ), ϕi, where . Ax(T ) axiomatises the background theory . ϕ is the formula to be proved valid. • Output: . Yes or . No, and a “counter-example”


< 27 >


March 05, 2003

Experimental results • We compare the execution time of haRVey with and without pruning of subsumed branches

• The benchmark we use are the verification condition (valid purely equational ground formulae) for the proof of Burns’ mutual exclusion protocol13 Proof obligation Burns 6 Burns 12 Burns 23 Burns 28 Burns 33 Burns 36

elimination off on 0.90 0.17 0.73 0.26 10.53 0.09 14.94 0.24 8.97 0.25 13.73 0.84

Proof obligation Burns 8 Burns 14 Burns 24 Burns 31 Burns 34 Burns 37

elimination off on 25.50 0.72 0.05 0.05 0.87 0.08 0.87 0.16 14.72 0.23 18.23 0.22

.

average speed-up: 2 orders of magnitude

13

Warning: The natural number N in BurnsN uniquely identifies a proof obligation. It is by no means related to the size of the proof obligations. – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 28 >


March 05, 2003

Plan of the talk



< 29 >


March 05, 2003

Instantiating Quantifiers–I

• Problem: sometimes checking the satisfiability of ground literals is not enough

. the capability of finding suitable instantiations of existentially quantified variables is required for example . checking the validity of formulae of the following form is required: (∀x1, ..., xn φ) | {z }

=⇒ (∀y1, ..., ym ψ)

implicit existential quantif.

where the only free var’s of φ (ψ) are x1, ..., xn (y1, ..., ym, resp.) – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 30 >


March 05, 2003

Instantiating Quantifiers–II

• Solution: use basic properties of the consequence relation |= to pre-process the proof obligation and then invoke haRVey with an extended background theory i.e. . T |= (∀x1, ..., xn φ) =⇒ (∀y1, ..., ym ψ) can be transformed to T , ..., xn φ} | , ∀x1{z

|= ∀y1, ..., ym ψ

extended background theory

similarly . for proof obligations of the form (∃x1, ..., xn φ) =⇒ (∃y1, ..., ym ψ) since they can be transformed into (∀x1, ..., xn ¬ψ) =⇒ (∀y1, ..., ym ¬φ) – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 31 >


March 05, 2003

Instantiating Quantifiers–III

• Notice that we are hiding the difficulties in the background reasoner • Fortunately, haRVey adopts a full-fledge first-order equational prover as background reasoner

• So, in haRVey: integrating T -satisfiability checking of ground literals and

is

theorem proving in the theory T ∪ {∀x1, ..., xn φ}

quantifier reasoning for ∀x1, ..., xn φ

• Remark: fully automatic semi-decision procedure, no user-guidance! – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 32 >


March 05, 2003

Instantiating Quantifiers–IV

• A general approach . replace each quantified subformula Qx1 . . . xnφ(x1 . . . xn) with a fresh propositional constant p;

. add the clausification of formula p ⇐⇒ Qx1 . . . xnφ(x1 . . . xn) to the background theory refinement . take into account polarity, e.g. T |= ∀x.A(x) ⇒ G to check the T -unsatisfiability of ∀x.A(x) ∧ ¬G, it is sufficient to check the T ∪ {p ⇒ ∀x.A(x)}-unsatisfiability of p ∧ ¬G


< 33 >


March 05, 2003

Instantiating Quantifiers–V

Example T |= (a = a0 ∧ ∃x.a = ins(x, ∅)) =⇒ ∃x.a0 = ins(x, ∅) quantified subformulae are replaced with constants: T ∪ {p ⇔ ∃x.a = ins(x, ∅), p0 ⇔ ∃x.a0 = ins(x, ∅)} |= (a = a0 ∧ p) =⇒ p0 axioms are clausified: T ∪ {¬p ∨ a = ins(sk, ∅), p ∨ a = ins(X, ∅), . . .} |= (a = a0 ∧ p) =⇒ p0


< 34 >


March 05, 2003

Plan of the talk



< 35 >


March 05, 2003

Applications—I

• Parameterized protocols (Burns)

√

• Debugging of pointer-manipulating programs • Correctness of (imperative) programs • Push-button proofs of invariants of B machines (work in progress)


< 36 >


March 05, 2003

Applications—II

Debugging of pointer-manipulating programs (written in C)

• Loops are unrolled a fixed number of times (sufficient to expose bugs) • Theory of arrays to model pointer (de-)referencing • Theory of lists to reason about records • This approach allows for (declarative) . cleanness checking of pointer-manipulating prg.14 . verification of user specified annotations 14

See the paper “Checking Cleanness in Linked Lists” by N. Dohr, M. Rodeh, and M. Sagiv. In Proc. of the Static Analysis Symposium 2000. – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 37 >


March 05, 2003

Applications—III

(a) user-defined property search1 search2 search3 search4 search5 search6 remove1 remove2 remove3 remove4

haRVey 0.08 0.17 0.68 0.16 0.17 0.23 0.15 0.19 0.21 0.37

E 0.03 0.17 0.16 0.36 1.22 5.48 0.02 0.39 11.40 40.55

(b) read undefined Simplify 0.03 0.10 0.71 1.78 21.36 mem.out 0.02 0.14 2.18 mem.out

fumble3 insert3 merge2 remove3 remove-all3 reverse3 rotate3 search3 swap3

haRVey 0.06 0.34 0.19 0.04 0.06 0.26 0.48 0.33 0.21

E 1.62 111.89 time out time out 0.03 2.64 10.80 145.40 0.10

Simplify 0.04 0.29 3.61 3.46 0.03 0.08 0.11 0.79 0.04

.

The numbers appearing as exponents to the names of the proof obligations indicate how many times the loop in the corresponding C program has been unrolled. – Validity checking with if-then-else expressions modulo rich first-order theories – JSIVQP’03

< 38 >


March 05, 2003

Applications—IV

(c) null pointer dereferencing 6

insert merge4 remove4 remove-all3 reverse8 rotate8 swap3

haRVey 0.83 5.83 0.05 0.06 0.20 0.39 0.25

E time out sp. out sp. out 0.05 time out time out 0.12

(d) memory leakage Simplify 3.22 41.71 9.69 0.02 0.51 0.85 0.04

2

fumble insert3 merge1 remove2 remove-all3 reverse2 rotate2 search3 swap3

haRVey 0.10 0.07 0.48 0.11 0.05 1.20 1.68 0.05 0.05


E time out time out sp. out sp. out 508.14 sp. out sp. out time out time out

Simplify 38.08 25.93 mem. out mem. out 0.65 mem. out mem. out 3.64 1.17

< 39 >


March 05, 2003

Applications—V

Correctness of (imperative) algorithms

• challenge:

automatically check all the proof obligations of Union-Find algorithm given in Nelson’s POPL’81 paper

• Simplify (heuristic) handling of quantifier is not capable of coping with such a complex situation

.

sophisticated pointer manipulations

.

Nelson’s formalization of linked lists is different from the previous one ⇒ flexibility of haRVey w.r.t. changes in the background theory


< 40 >


March 05, 2003

Applications—VI

B1

B2

B3

B4

B5

B6

0.03 0.03 —

0.06 0.03 0.01

0.03 0.10 —

0.03 23.16 0.04

0.06 0.03 0.01

0.14 0.04 0.01

B7

B8

B9

B10

B11

B12

haRVey 0.11 0.33 0.69 2.46 0.31 E prover 0.04 0.18 0.75 time out 0.13 Simplify 0.20 — † — — — indicates that Simplify gave a (false) negative answer. † indicates that Simplify aborted.

1.50 0.65 —

haRVey E prover Simplify

From Verifying Reachability Invariants of Linked Structures, by G. Nelson, Conference Record of the Tenth Annual ACM Symposium on Principles of Programming Languages (POPL’83), pp. 38–47, 1983.


< 41 >


March 05, 2003

Applications—VII (jww A. Giorgetti and J.-F. Couchot, LIFC) Push-button proofs of invariants of B machines

• B machines are annotated with invariants; • B machines are written with set theory operators; • standard methodology to generate first-order proof obligations which entails that an invariant is an inductive invariant;

• B constructs require quantifiers


< 42 >


March 05, 2003

Applications—VIII MACHINE SETS VARIABLES INVARIANT

scheduler PID active, ready, waiting active