![Page 1: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/1.jpg)
Computer Systems LaboratoryStanford University
Clark W. BarrettDavid L. Dill
Aaron Stump
A Framework for Cooperating Decision
Procedures
A Framework for Cooperating Decision
Procedures
![Page 2: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/2.jpg)
OutlineOutline
Motivation
The Framework
Correctness of the Framework
Using the Framework
Conclusions
![Page 3: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/3.jpg)
The Need for Decision ProceduresThe Need for Decision Procedures
Many interesting and practical problems can be expressed as problems in a decidable theory.
General purpose decision procedures can save time and effort when approaching new problems.
Decision procedures have been used in theorem proving, model checking, symbolic simulation, system specification, and other applications, many of which were unanticipated.
![Page 4: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/4.jpg)
The Stanford Validity Checker (SVC)The Stanford Validity Checker (SVC)
This work is a result of ongoing attempts to improve the decision procedures of SVC.
Despite theoretical and architectural weaknesses, SVC has been surprisingly successful.
Our goals with SVC include the following: Provably correct, Adequately expressive, yet still decidable, Flexible and easy to extend, Maximum performance.
![Page 5: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/5.jpg)
SVC Core: Cooperating Decision Procedures
SVC Core: Cooperating Decision Procedures
Suppose are decidable theories,
with disjoint signatures
Let and
is a quantifier-free formula in the
language of .
Is satisfiable in the theory
nTT 1.1 n
iTT .i
?T
![Page 6: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/6.jpg)
Cooperating Decision ProceduresCooperating Decision Procedures
Two main approaches Nelson and Oppen [‘79] Shostak [‘84]
Original papers are confusing and incomplete. [Tinelli & Harandi ‘96] [Cyrluk et al. ‘96, Shankar & Ruess ‘00]
This work seeks to unify and further clarify these two approaches.
![Page 7: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/7.jpg)
OutlineOutline
Motivation
The Framework
Correctness of the Framework
Using the Framework
Conclusions
![Page 8: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/8.jpg)
PreliminariesPreliminaries
Expressions DAG representation of terms and formulas. Operator applied to 0 or more children.
Union-Find Each expression (including Boolean constants
true and false) belongs to an equivalence class with a unique representative.
Find(x) returns the equivalence class representative of x.
Union(x,y) merges the equivalence classes associated with x and y and makes y the new representative.
![Page 9: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/9.jpg)
Framework Interface Framework Interface
AddFormula() ( a literal in ) C := C {}; (Initially, C = Ø)
Satisfiable() Returns TRUE iff Find(true) Find(false).
Satisfiability of an arbitrary formula in is determined by converting to DNF and then testing each conjunct for satisfiability.
![Page 10: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/10.jpg)
The FrameworkThe Framework
AddFormula Assert Simplify
Setup Merge Rewrite
’
Theory-specific code
a=b
a,b
tt’
tt’t a=b
Propagate
![Page 11: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/11.jpg)
AddFormula and AssertAddFormula and Assert
Assert() processes the formula by first simplifying it and then calling Merge.
AddFormula is a wrapper around Assert which allows each theory to assert new facts.
AddFormula()
Assert( );
REPEAT
FOREACH theory i DO
Propagate(i);
UNTIL no change;
Assert()
’ := Simplify();
IF ’ not an equation THEN
’ := (’ = true);
Merge(’);
![Page 12: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/12.jpg)
The FrameworkThe Framework
AddFormula Assert Simplify
Setup Merge Rewrite
’
Theory-specific code
a=b
a,b
tt’
tt’t a=b
Propagate
![Page 13: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/13.jpg)
Simplify and RewriteSimplify and Rewrite
Simplify returns an expression which is equivalent in the current context. Recursively replaces each sub-expression
with its equivalence class representative. Applies theory-specific rewrites.
Simplify()
IF Find() THEN
RETURN Find();
’ := Simplify each child of ;
’ := Rewrite(’);
RETURN ’;
Rewrite(t)
t’ := TheoryRewrite(t);
IF t t’ THEN
t’ := Rewrite(t’);
RETURN t’;
![Page 14: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/14.jpg)
The FrameworkThe Framework
AddFormula Assert Simplify
Setup Merge Rewrite
’
Theory-specific code
a=b
a,b
tt’
tt’t a=b
Propagate
![Page 15: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/15.jpg)
Setup and MergeSetup and Merge
Merge records that two expressions a and b are equal by merging their equivalence classes. Calls Setup on each expression. Notifies theories that care about a.
Merge(a=b)
Setup(a);Setup(b);
Union(a,b);
FOREACH <f,d>a.notify
Call f(a=b,d);
Setup(t)
IF Find(t) THEN RETURN;
FOREACH child c Setup(c);
TheorySetup(c);
Find(c) := c;
![Page 16: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/16.jpg)
A Simple ExampleA Simple Example
AddFormula Assert Simplify
Setup Merge Rewrite
’
Theory-specific code
a=b
a,b
tt’
tt’t a=b
Propagate
a = b
a = b a = b
a = ba = b
a = b
b = b
b = b
b = b true
true
true
trueFind(a) = b
![Page 17: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/17.jpg)
OutlineOutline
Motivation
The Framework
Correctness of the Framework
Using the Framework
Conclusions
![Page 18: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/18.jpg)
Approach to CorrectnessApproach to Correctness
Develop a set of preconditions and requirements that must hold for the framework to be correct.
Prove that, as long as the code associated with individual theories adheres to these general requirements, the framework is correct.
Prove the main theorems once, then prove a small set of theorems each time a theory is added.
![Page 19: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/19.jpg)
Example: CompletenessExample: Completeness
Theorem [Tinelli et al. ‘96]:
Let T1 and T2 be two disjoint theories and let 1 be a formula in the language of T1 and 2 a formula in the language of T2.
Let V be the set of their shared variables and let (V) be an arrangement of V.
If 1 (V) is satisfiable in T1 and
2 (V) is satisfiable in T2, then
1 2 is satisfiable in T1 T2.
![Page 20: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/20.jpg)
Example: CompletenessExample: Completeness
Every formula recorded by Merge is associated with an individual theory.
Each theory Ti determines whether the conjunction of its formulas together with the arrangement of shared variables induced by the expression equivalence classes is satisfiable in Ti.
By application of the previous theorem, we can then determine whether the conjunction of all formulas recorded by Merge is satisfiable.
![Page 21: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/21.jpg)
OutlineOutline
Motivation
The Framework
Correctness of the Framework
Using the Framework
Conclusions
![Page 22: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/22.jpg)
The FrameworkThe Framework
AddFormula Assert Simplify
Setup Merge Rewrite
’
Theory-specific code
a=b
a,b
tt’
tt’t a=b
Propagate
![Page 23: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/23.jpg)
Nelson-Oppen Style CombinationsNelson-Oppen Style Combinations
Input formulas are transformed into equivalent formulas, each of which is in a single theory.
Suppose f and g are symbols from two different theories.
))(( xgfy )()( xgzzfy Each theory must determine whether any
equalities between (shared) variables are entailed by its formulas and propagate these equalities.
![Page 24: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/24.jpg)
Our Approach to Nelson-OppenOur Approach to Nelson-Oppen
The flexible nature of the framework allows us to directly implement and prove correctness of a more efficient algorithm: Don’t transform the formulas or introduce new
variables. It is sufficient to partition the formulas and mark which terms are “used” by more than one theory.
Only propagate equalities between terms used by more than one theory, and only to theories which use the left side of the equality.
![Page 25: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/25.jpg)
Nelson-Oppen ExampleNelson-Oppen Example
][
)0,,(
))()(()0(
isxy
sitwriteyx
yhxhPP
Combines three theories: Uninterpreted functions Arithmetic with inequalities Arrays
![Page 26: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/26.jpg)
Nelson-Oppen ExampleNelson-Oppen Example
AddFormula Assert Simplify
Setup Merge Rewrite
’a=b
a,b
tt’
tt’t a=b
Propagate
][)0,,())()(()0( isxysitwriteyxyhxhPP
Uninterpreted Arithmetic Arrays
falseP )0(
falseP )0(
)0(P
00
)0(P
0 )0(P falseP )0(
))()(( yhxhP
trueyhxhP ))()((
))()(( yhxhP
))()(( yhxhP
),(),(,,, yhxhyx ),(),(, yhxh
trueyhxhP ))()((
))()(( yhxhP
yx
trueyx yx
yx
,, yx)()( yhxh
trueyx
yx
sitwrite )0,,(
sitwrite )0,,()0,,( itwrite
)0,,( itwrite
,,0,, sit)0,,( itwrite
sitwrite )0,,(
sitwrite )0,,()()( yhxh
][isxy
trueisxy ][
][isxy
][isxy
][, isx ],[is ],[is
trueisxy ][
][isxy
0][ is yx )()( yhxh 0)()( yhxh falsetrue
![Page 27: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/27.jpg)
Shostak Style CombinationsShostak Style Combinations
More efficient than Nelson-Oppen, but not
as widely applicable.
Only applies to theories which are
canonizable and algebraically solvable.
Input formulas are solved for a single
variable.
No need to propagate equalities.
![Page 28: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/28.jpg)
Our Approach to ShostakOur Approach to Shostak
Use theory-specific Rewrite code to solve and canonize formulas.
Both Shostak and Nelson-Oppen style theories can be integrated in the same framework.
Proof of correctness is easier than in other treatments of Shostak because we can treat uninterpreted functions as belonging to a separate Nelson-Oppen style theory.
![Page 29: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/29.jpg)
OutlineOutline
Motivation
The Framework
Correctness of the Framework
Using the Framework
Conclusions
![Page 30: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/30.jpg)
ConclusionsConclusions
What Have We Learned? There is a demand for efficient cooperating
decision procedures. Getting it right is hard. A solid theoretical foundation is necessary.
Future Work The next version of SVC is under development. New theories. Relax restrictions on what kinds of theories
can be integrated.
![Page 31: A Framework for Cooperating Decision Procedures](https://reader035.vdocuments.us/reader035/viewer/2022062519/56814cff550346895dba258e/html5/thumbnails/31.jpg)
Stay tunedStay tuned
Visit the SVC home page at http://verify.stanford.edu/SVC