SMT 2007: 5th International Workshop on Satisfiability Modulo Theories

Transcription

1 CAV th International Conference on Computer-Aided Verification July 2007, Berlin, Germany SMT 2007: 5th International Workshop on Satisfiability Modulo Theories July 1-2, 2007 Proceedings Editors: Sava Krstić, Albert Oliveras

2

3 Preface This volume contains the proceedings of SMT 2007, the 5th International Workshop on Satisfiability Modulo Theories (formerly called PDPAR), held in Berlin, Germany, on July 1-2, The workshop was affiliated with the 19th International Conference on Computer-Aided Verification (CAV 2007). The aim of the workshop was to bring together researchers working on SMT and users of SMT techniques, and to provide a forum for discussing new decision procedures and new theories of interest, combinations of decision procedures, novel implementation techniques, benchmarks and evaluation methodologies, and theoretical results related to SMT. Following the initiative started at PDPAR 06, we allowed not only original papers, but also presentation-only papers, which were high-quality works previously published in other venues. The intention was to provide additional access to important developments that SMT 2007 attendees may be unaware of. The final program included: invited talks by Peter O Hearn (Queen Mary, University of London) and Rupak Majumdar (University of California, Los Angeles) 9 technical paper presentations, including 5 original papers and 4 presentationonly a panel on the SMT-LIB language a session dedicated to the SMT competition (SMT-COMP), where the participants briefly described their tools We gratefully acknowledge the financial support of Microsoft Research and Intel Corporation. Sava Krstić and Albert Oliveras SMT 2007 co-chairs Hillsboro and Barcelona, July 2007

4 Programme Chairs Sava Krstić (Intel Corporation) Albert Oliveras (Universitat Politècnica de Catalunya) Programme Committee Clark Barrett (New York University) Alessandro Cimatti (ITC-IRST, Trento Byron Cook (Microsoft Research,Cambridge) Amit Goel (Intel Corporation) Aarti Gupta (NEC Labs America) Shuvendu Lahiri (Microsoft Research, Redmond) Leonardo de Moura (Microsoft Research, Redmond) Robert Nieuwenhuis (Universitat Politècnica de Catalunya) Silvio Ranise (LORIA, Nancy) Roberto Sebastiani (Universià di Trento) Ofer Strichman (Technion) Cesare Tinelli (University of Iowa) Ashish Tiwari (SRI International)

5 Table of Contents Invited talks. Proofs and Counterexamples (invited talk) Rupak Majumdar Proof Procedures for Separated Heap Abstractions (invited talk) Peter O Hearn Original papers. Encoding First Order Proofs in SMT Jeremy Bongio, Cyrus Katrak, Hai Lin, Ralph Eric McGregor, Christopher Lynch, Yuefeng Tang cc(x): Efficiently Combining Equality and Solvable Theories without Canonizers Sylvain Conchon, Evelyne Contejean, Johannes Kanig E-matching for Fun and Profit Michal Moskal, Jakub Lopuszanski, Joseph Kiniry Generating minimum transitivity constraints in P-time for deciding Equality Logic Ofer Strichman, Mirron Rozanov Model-based Theory Combination Leonardo de Moura, Nikolaj Bjorner Presentation-only papers. Solving Quantified Verification Conditions using Satisfiability Modulo Theories Yeting Ge, Clark Barrett, Cesare Tinelli Combination Methods for Model-Checking of Infinite-State Systems Silvio Ghilardi, Enrica Nicolini, Silvio Ranise, Daniele Zucchelli Deciding Unbounded Heaps in an SMT Framework Zvonimir Rakamaric, Roberto Bruttomesso, Alan Hu, Alessandro Cimatti Efficient E-matching for SMT Solvers Leonardo de Moura, Nikolaj Bjorner

6

7 Proofs and Counterexamples (Invited talk) Rupak Majumdar University of California, Los Angeles Abstract. Finding precise yet small abstractions automatically has been one of the biggest challenges in software verification. In this talk, I shall outline some recent work in generating abstractions automatically through the analysis of counterexample traces. Decision procedures play a fundamental role in this process, both to check whether a counterexample is genuine or spurious, and to generate abstract explanations in case the counterexample is spurious. Conversely, algorithms for counterexample analysis have influenced the interface exposed by a modern decision procedure: in addition to a yes/no decision, the decision procedure must produce proofs of unsatisfiability and interpolants.

8 Proof Procedures for Separated Heap Abstractions (Invited talk) Peter O Hearn Queen Mary, University of London ohearn@dcs.qmul.ac.uk Abstract. Separation logic is a program logic geared towards reasoning about programs that mutate heap-allocated data structures. This talk describes ideas arising from joint work with Josh Berdine and Cristiano Calcagno on proof procedure for a sublogic of separation logic that is oriented to lightweight program verification and analysis. The proof theory uses ideas from substructural logic together with induction-free reasoning about inductive definitions of heap structures. Substructural reasoning is used to to infer frame axioms, which describe the portion of a heap that is not altered by a procedure, as well as to discharge verification conditions; more precisely, the leaves of failed proofs can give us candidate frame axioms. Full automation is achieved through the use of special axioms that capture properties that would normally be proven using by induction. I will illustrate the proof method through its use in the Smallfoot static assertion checker, where it is used to prove verification conditions and infer frame axioms, as well as in the Space Invader program analysis, where it is used to accelerate the convergence of fixed-point calculations.

9 Encoding First Order Proofs in SMT Jeremy Bongio Cyrus Katrak Hai Lin Christopher Lynch Ralph Eric McGregor June 4, 2007 Abstract We present a method for encoding first order proofs in SMT. Our implementation, called ChewTPTP-SMT, transforms a set of first order clauses into a propositional encoding (modulo theories) of the existence of a rigid first order connection tableau and the satisfiability of unification constraints, which is then fed to Yices. For the unification constraints, terms are represented as recursive datatypes, and unification constraints are equations on terms. The finiteness of the tableau is encoded by linear real arithmetic inequalities. We compare our implementation with our previous implementation ChewTPTP-SAT, encoding rigid connection tableau in SAT, and show that for Horn clauses many fewer propositional clauses are generated by ChewTPTP-SMT, and ChewTPTP-SMT is much faster than ChewTPTP-SAT. This is not the case for our non-horn clause encoding. We explain this, and we conjecture a rule of thumb on when to use theories in encoding a problem. 1 Introduction Recent techniques in SAT solving have resulted in extremely fast procedures for solving propositional satisfiability problems[8], based on the DPLL method[4]. As an application of these techniques, we have developed an automated theorem prover called ChewTPTP-SAT[6], which encodes rigid first order theorem proving problems as SAT problems, and solves those SAT problems using Minisat[8]. Rigid unsatisfiability has been studied has early as [3, 1]. A set of first order clauses is rigidly unsatisfiable if and only if there exists a closed rigid connection tableau for that set of clauses[10]. Our encoding uses this fact and solves the satisfiability of a set of rigid clauses by encoding the existence of a rigid connection tableau in SAT. A set of Horn clauses is encoded by creating propositional clauses representing the following requirements of a tableau T : (1) The root of the Clarkson University

10 tableau must be a clause with only negative literals. (2) If a clause is in the tableau, then all its negative literals are in the tableau. (3) If a negative literal is in the tableau, then it must be extended by some clause (4) If a negative literal A is extended by a clause C, then A must unify with the positive literal in C. (5) All unifications must be consistent with each other. (6) The tableau must be finite, i.e., there is no cycle. For connection tableaux for non-horn clauses, literals are either extended or complementary to an ancestor literal in its branch. For efficiency reasons, we choose to encode a clause tableau as a DAG. So there may be many branches from the root to a node. Therefore, we encode the fact that each literal L in the tableau must either be extended or all paths from the root to that node must contain a literal complementary to L. A tableau may have the same clause on different branches, and those branches may be closed with different literals. Therefore, we may have to add more instances of clauses to find a closed tableau. This cannot be avoided, since rigid Horn clause satisfiability is N P -complete, but rigid non-horn clause satisfiability is Σ p 2-complete[9]. However, because of the DAG structure, we can often encode many instances of a clause with just one instance. Since we encode rigid proofs, the proof of unsatisfiability of a set of clauses may require repeating the encoding with fresh variants of each clause. However, there are also applications which really require rigid proofs[5]. Our original ChewTPTP-SAT implementation[6] performed well on some problems, but some of the encodings created huge sets of clauses. Some parts of our encoding represented choices made, such as which clause to extend each literal with. But other parts of our encoding represented deterministic procedures, such as deciding the consistency of unification constraints and deciding the acyclicity of the DAG, which verifies that a particular property holds of the DAG. Furthermore, in experimental results with Horn clauses, approximately 99% of the clauses generated were encoding the determinstic procedures, and only about 1% of represented the choices. We had an eager encoding of unfication and acyclicity. We decided the implementation would be more efficient if unification and acyclicity were encoded lazily and implemented these changes in ChewTPTP-SMT. It makes sense to expresses choices involved in building the tableau using SAT, and verifcation of unification and acyclicity using underlying theories. Therefore, we chose to encode our problem as Satisfiability modulo Theories[12], and we replaced Minisat[8] with Yices[7]. Yices has a theory for recursive datatypes, which can be used to represent terms. A term can be defined by using function symbols as constructors. Each function symbol of arity n is a constructor with n arguments. Constants are constructors with no arguments. Predicate symbols are viewed the same as function symbols. Variables are instances of terms. Then unification is represented as usual as equality of terms. We represent acyclicity using linear arithmetic. Consider a graph G = (V, E). If an edge (u, v)

11 exists in E, then we assert an inequality x u < x v for some real numbers x u and x v. Then G is acyclic if and only if the set of inequalities is consistent. In this paper, we describe our implementation of ChewTPTP-SMT, and compare our results with ChewTPTP-SAT. We show that in the Horn encoding, ChewTPTP-SMT produces far fewer clauses than ChewTPTP-SAT. The time needed to decide the satisfiability is also drastically reduced. This is not the case for non-horn clauses. We explain why this is the case and give a rule of thumb for when theories should be used for encoding. 2 Clausal Tableau See [2] for a detailed description of first order logic and a background discussion on the validity of a first order logic formula. We use the following definition of tableau [10]. Definition 1 Clausal tableaux are trees with nodes labeled with literals and branches labeled either open or closed. Clausal tableaux are inductively defined as follows. Let S = {C 1...C n } be a set of clauses. If T is a tree consisting of a single unlabeled node N then T is a clausal tableau for S. The branch consisting of only the root node N is open. If N is a leaf node on an open branch B in the tableaux T for S and one of the following inference rules are applied to T then the resulting tree is a clausal tableaux for S. (Expansion rule) Let C k be a clause in S. Replace each variable in C k with a new variable not appearing in T. Suppose L k1... L ki is the resulting clause. Construct a new tableaux T by adding i nodes to N and labeling them L k1 through L ki. Label each of the i branches open. T is a clausal tableaux for S. (Closure rule) Suppose L ij is the literal at N and for some predecessor node with literal L pq such that L ij and L pq are unifiable. Construct T from T by applying the unifier to T and labeling the branch containing L ij as closed. T is a clausal tableaux for S. A clause which is added to the root node is called the start clause and we say that a clause is in a tableaux if the clause was used in an application of the expansion rule. Definition 2 A clausal tableaux is tightly connected if each clause (except the start clause) in the tableaux contains some literal which is unifiable with the negation of its predecessor. Connected clausal tableaux use an additional rule called extension rule. Definition 3 (Extension Rule) Let N be a node in the tableau T and let C k be a clause in S such that there exists a literal L ik in C k which is unifiable with the negation of N. Apply the expansion rule with C k and immediately apply the closure rule with L ik.

12 Definition 4 The calculus for connection tableaux consists of the expansion rule (for the start clause only), the closure rule, and the extension rule. We call a tableau closed if each leaf node has been closed by an application of the closure rule. By [11] we can require that the start clause is a negative clause since there exists a negative clause in any minimally unsatisfiable set. 2.1 Rigid Unsatisfiability The main problem in Automated Theorem Proving is to determine if a set of hypotheses implies a conclusion, or equivalently that a formula F is unsatisfiable. We will assume that F is in CNF. The problem of rigid unsatisfiability of F is to determine whether there exists a ground instance of F which is unsatisfiable. A rigid tableau is a tableau in which multiple instances of a clause appearing in the tableau are identical copies of the clause appearing in F. One result of Tableaux Theory is the completeness and soundness of closed connection tableaux. Theorem 1 There exists a closed connection (rigid) tableau for F iff F is (rigidly) unsatisfiable[10]. 3 Tableau Encoding Our method to determine the rigid unsatisfiability of F generates a set S of propositional logic clauses modulo the theories of unification and inequalities for F which encodes a rigid closed connection tableau for F and tests the satisfiability of S with a SMT solver. We provide two encodings, the first for problems containing only Horn clauses and the second for those containing non-horn clauses. Given F we enumerate each of the clauses in F and each of the literals in each clause. We denote clause i by C i and denote the j th literal in clause i by L ij. We denote A ij to be the atom of L ij. Therefore L ij is either of the form A ij or A ij. 3.1 Encoding for Horn Clauses Let F be a set of first order logic formulas. We define a set of variables c m, l mn, e mnq, disjoint from the symbols in F, as follows: Define c m = T iff C m appears in the tableau. Define l mn = T iff L mn is an internal node in the tableau. Define e mnq = T iff C q is an extension of L mn. For each pair of clauses C i and C j we define x i < x j = T (where x i and x j do not exist in F ) iff there exists a path from C i to C j. For each pair of atoms A i and A j in F, we define (A i = A j ) = T iff A i and A j are the two atoms involved in an application of the closure rule.

13 Below we list the set of clauses that we generate and provide their meaning. At least one clause containing only negative literals appears in the tableau: C m is a negative clause c m (1) If C m appears in the tableau and L mn is a negative literal then L mn is an internal node in the tableau: c m l mn (2) If L mn is an internal node in the tableau then for some q j, C qj is an extension of L mn : l mn (e mnq1... e mnqk ) (3) where {C q1...c qk } represent the set of all clauses whose positive literals are unifiable with L mn If C q is an extension of L mn then C q exists in the tableau: e mnq c q (4) If C q is an extension of L mn and L qr is the positive literal in C q then A mn and A qr are unifiable: e mnq (A mn = A qr ) (5) If C q is an extension of L mn then there is a path from C m to C q : e mnq (x m < x q ) (6) The encoding is satisfiable if and only if the original set of first order Horn clauses is rigidly unsatisfiable. We encode non-rigid unsatisfiability by continually adding new instances of each clause, standardized apart. 3.2 Encoding for Non-Horn Clauses For non-horn problems we use a different set of variables and generate a different set of clauses. Note: we say that two literals are complementary if they have opposite signs and their atoms are unifiable. We define the variables, disjoint from the symbols in F, s m, c mn, l mn, e mnqj, o ijkl and q mnij as follows. Define s m = T iff C m is the start clause. Define c mn = T iff C m appears in the tableau and L mn is complementary to its parent. Define l mn = T iff L mn is a node in the tableau and is not a leaf node created by an application of the extension rule. Define e mnqj = T iff C q is an extension of L mn and L qj is the complement of L mn. Define o ijkl = T iff L ij and L kl are a pair of literals used in a closure but not by

14 the extension rule. If a path to a node N contains the complement of N, then we say that the path is closed. Define q mnij = T iff L mn is a leaf and L ij is a node on a path from the root node to L mn and every path from the root to L ij contains a complement of L mn. For each pair of clauses C i and C j we define x i < x j = T (where x i and x j do not exist in F ) iff there exists a path from C i to C j. For each pair of atoms A i and A j in F, we define (A i = A j ) = T iff A i and A j are the two atoms involved in an application of the closure rule. The clauses are as follows. There exists a start clause in the tableau which only contains negative literals: s m (7) s m is a negative clause If C m is the start clause in the tableau then each literal L mn of C m is in the tableau: s m l mn (8) If C i appears in the tableau and L ij is the complement of a literal in its parent then all other literals of C i are in the tableau: c ij l ik where j k (9) If L ij exists in the tableau and is not a leaf node created by an application of the closure rule then either every branch ending at L ij is closed or there is an extension of L ij : l ij (q ijij ( e ijkl )) (10) k,l If L ij is extended with C k then C k is in the tableau and some L kl of C k is the complement of L ij : e ijkl c kl (11) If clause C m is an extension of L ij and literals L ij and L ml are complements then A ij and A ml are unifiable. e ijml (A ij = A ml ) (12) If L ij and L kl are a pair used in a closure then they must be unifiable: o ijkl (A ij = A kl ) (13) If L ij has the same sign as L kl or their respective atoms are not unifiable then they are not complements: o ijkl where L ij and L kl are not unifiable (14)

15 If every path through L kl to leaf L ij is closed and C k is an extension of L mn then either L ij is a complement of L mn or every path through L mn to L ij is closed: q ijkl (e mnkp (o ijmn q ijmn )) (15) If C k is an extension of L ij then there is a path from clause C i to clause C k : e ijkl (x i < x k ) (16) If C i is the start clause then there are no inferences into any of the literals in C i : s i e klij (17) If C i is the start clause, L mn is a leaf, and all paths that traverse L ij to L mn are closed, then L ij and L mn are complementary: s i (q mnij o mnij ) (18) We represent our tableau as a DAG, so there is some structure sharing. But even with the structure sharing, a non-horn clause tableau may need more than one instance of the same clause. Rigid unsatisfiability could be determined by continually adding identical instances of a clause. Non-Horn encoding could also be extended to the non-rigid case in the same way as the Horn encoding. 4 Implementation and Experimental Results We have implemented our tableau encoding in our theorem prover ChewTPTP- SMT, which is an extension of ChewTPTP-SAT[6]. In ChewTPTP-SAT, instead of using theories, we encoded the consistency of the unifiers and the acyclicity of the tableau with additional propositional clauses. To encode the consistency of the unifiers, we encoded the equations that would be created if a unification algorithm was run. We do not know ahead of time which unifiers we will have to create, so we encode everything that can possibly occur when the unification algorithm is run. To encode the absence of a cycle, we encode the existence of a path from one clause to another and the fact that there is no path from a clause to itself. This requires encoding all possible transitivity and irreflexivity axioms that may occur. Our implementation allows the user to decide whether ChewTPTP encodes the problem as a SAT problem or an SMT problem. If the user chooses SMT, our implementation uses Yices to test the satisfiability of the encoding. If the user chooses SAT, then the user can also choose whether to test the satisfiability using Yices or Minisat, with a DIMACS encoding of SAT. We tested our prover in all three settings on a subset of TPTP[13] problems. Results of the experiments can be found in an extended form of this

16 paper 1. SMT-Y denotes our prover run in SMT mode, SAT-Y is SAT mode using Yices, and SAT-M is SAT mode using Minisat. For Horn clauses, we ran ChewTPTP on all the Horn problems in the TPTP database, but for non-horn we only had time to run it through the GRP problems. We report all problems that both provers solved within five minutes but SAT-M took greater than one second. We believe the problems in these tables are representative of the overall results. Columns in the table show the running time of each method, the clause generation time rounded off to the nearest second, the number of clauses generated, and the number of variables generated for each method. We also show whether or not the problem is rigidly satisfiable. For these experiments, we only tested rigid satisfiability with one instance of each clause. We wanted to see if working modulo theories would improve the performance of ChewTPTP. In the Horn case the running time was reduced significantly, except for a small percentage of exceptions. In the non-horn case, working modulo theories often increased the running time. Generally, Yices was faster than Minisat on SAT problems without theories. We believe we have an explanation for our results. In the Horn problems the number of clauses is reduced by an order of magnitude, whereas in the non- Horn problems the number of clauses is not reduced by much. This implies that working modulo theories is only useful when the clauses size is reduced significantly. In the Horn encoding, everything can be encoded in O(n 2 ) except for the encoding of unification and acyclicity, which require O(n 3 ) space. When we remove the clauses used to represent unification and acyclicity, the number of clauses is now O(n 2 ). However, for the encoding of non-horn clauses, we must encode the fact of a leaf node having a complementary literal as an ancestor. This encoding is O(n 3 ). We do not know how to encode this using the theories of Yices, so we have kept the propositional encoding. Therefore, when we remove the encoding of unification and acyclicity, the entire coding of the problem is still O(n 3 ). We conjecture a good rule of thumb for deciding when it is useful to encode properties using theories. We conjecture that if the number of clause can be reduced by a factor of n, then the coding is useful, but if the asymptotic complexity remains the same, then it is not a good idea. 5 Conclusion We have given an application of SMT to theorem proving in first order logic by encoding the existence of a rigid connection tableau in SMT. We have implemented the SMT encoding in our theorem prover ChewTPTP-SMT. 1 clynch/papers/chewtptp-smt.pdf

17 We compared it with our initial version of ChewTPTP-SAT, where a rigid connection tableau was encoded in SAT. Compared to our encoding in SAT, the encoding in SMT is more natural and more efficient. As part of our encoding, we need to encode the solving of unification problems and the acyclicity of the tableau. In SAT, it was necessary to add cubically many clauses to encode the solving of unification. In addition, it was necessary to add cubically many clauses to encode the acyclicity of the tableau. However, when encoding this information in SMT, there was no need to encode the solving of unification, since this was accomplished directly with the Yices recursive datatype theory. The number of unification clauses was reduced from a cubic to a quadratic number. Similarly for acyclicity of tableau, we did not need to encode the transitivity and irreflexivity of the path relation. We only needed to express edges in the tableau as inequalities. The number of clauses to represent acyclicity also dropped from a cubic number to a quadratic number. In the Horn encoding, all the other information in the tableau can also be encoded with a quadratic number of clauses. Therefore the entire encoding of the existence of a tableau dropped from a cubic number of clauses in SAT to a quadratic number in SMT. This drastically reduced the number of clauses, and simultaneously decreased the time needed to decide the satisfiability of the clauses There was only a small reduction in number of clauses for non-horn clauses, because we still need to encode the fact that all paths in the tableau can be closed. Therefore the entire encoding is still cubic, and the running time was actually worse. We conjecture a rule of thumb saying that it is worthwhile to use theories if the number of clauses is reduced by a factor of n, but not worthwhile if the asymptotic number remains the same. For future work, we hope to be able to use SMT to further reduce the representation for non-horn clauses, ideally cutting it down to a quadratic number of clauses. It would be possible to define a theory to do this directly, but we have not yet figured out how to do it with the existing theories in Yices. In addition, in order to prove the general first order problem we also need to find a good way to decide exactly which clauses should be copied. We would like a method to decide satisfiability from rigid satisfiability. It would be useful to have an encoding of rigid clauses modulo a non-rigid theory, as discussed in [5]. This way, we could immediately identify some clauses as non-rigid, and work modulo those clauses. Acknowledgments We would like to thank Leonardo de Moura for his explanation of how to express unification problems in Yices using recursive datatypes.

18 References [1] Andrews P. B. [1981], Theorem Proving via General Matings, Journal of the Association for Computing Machinery, Vol. 28, No. 2, pp [2] Bell J.L. and Slomson A.B. [1969], Models and Ultraproducts, An Introduction, Dover [3] Chang, C. and Lee, C.R. [1973], Symbolic Logic and Mechanical Theorem Proving. Academic Press New York and London. [4] Davis M., Logemann D. and Loveland D. [1962], A Machine Program For Theorem Proving, Communications of the ACM, Volume 5, Issue 7, pp [5] Delaune S., Lin H. and Lynch C. [2007], Protocol Verification Via Rigid/Flexible Resolution, submitted [6] Deshane T., Hu W., Jablonski P., Lin H., Lynch C. and McGregor R.E. [2007], Encoding First Order Proofs in SAT, To appear in 21st annual Conference in Automated Deduction (CADE), Bremen (Germany) [7] Dutertre B. and demoura L. Yices. [8] Eén N. and Sörensson N. [2003], An Extensible Sat-Solver, In SAT, pp [9] Goubault J. [1994], The Complexity of Resource-Bounded First-Order Classical Logic, Lecture Notes In Computer Science, Proceedings of the 11th Annual Symposium on Theoretical Aspects of Computer Science, Vol. 775, Springer-Verlag, pp [10] Hähnle R. [2001], Tableaux and Related Methods, in A. Robinson and A. Voronkov, eds, Handbook of Automated Reasoning, Vol. 1, Elsevier Science, chapter 3, pp [11] Letz R. and Gernot S. [2001], Model Elimination and Connection Tableau Procedures, in A. Robinson and A. Voronkov, eds, Handbook of Automated Reasoning, Vol. 2, Elsevier Science, chapter 28, pp [12] Nieuwenhuis R., Oliveras A. and Tinelli C. [2006] Solving SAT and SAT Modulo Theories: From an Abstract Davis-Putnam-Logemann- Loveland Procedure to DPLL(T). Journal of the ACM, 53(6), , November [13] Sutcliffe G. and Suttner C.B. [1998], The TPTP Problem Library: CNF Release v1.2.1, Journal of Automated Reasoning, Vol. 21, No. 2, pp

19 CC(X): Efficiently Combining Equality and Solvable Theories without Canonizers Sylvain Conchon Evelyne Contejean Johannes Kanig LRI, Université Paris-Sud, CNRS, INRIA Futurs, Orsay F Abstract We present a generic congruence closure algorithm for deciding ground formulas in the combination of the theory of equality with uninterpreted symbols and a union X of solvable theories. Our algorithm CC(X) is reminiscent of Shostak combination: it maintains a union-find data-structure modulo X from which maximal information about implied equalities can be directly used for congruence closure. CC(X) diverges from Shostak approach by the use of semantical values for class representatives instead of syntactical canonizers. This seemingly insignificant difference has strong impact on efficiency and expressiveness. It also enforces to entirely rebuild the algorithm since global canonization, which is at the heart of Shostak combination, is no longer feasible with semantical values. CC(X) has been implemented in Ocaml and is at the core of Ergo, a new automated theorem prover dedicated to program verification. 1 Introduction Combining decision procedures for the quantifier-free theory of equality over uninterpreted function symbols (E) and other theories is at the core of a number of verification systems. For instance, problem divisions of the SMT competition [4] include the combinations of E and the linear arithmetics over the integers; E and the theory of arrays etc. There are two main paradigms for combining theories: The Nelson-Oppen combination procedure [3] and the Shostak s algorithm [6, 5]. The former procedure is very general: it applies to disjoint stably-infinite theories that communicate by an equality propagation mechanism between shared variables. However, quoting Shankar from [5], this method has some disadvantages. Indeed, the theory E has no particular status in this approach and its combination amounts to implementing a specific decision procedure with the ability to infer and communicate all new implied equalities, which can be very expensive. On the contrary, Shostak s method has been specifically designed for combining E with (a smaller class of) solvable and canonizable theories. Again quoting Shankar [5], Shostak s algorithm tries to gain efficiency, when it is applicable.

20 It is based on an extension of a congruence closure algorithm that maintains a partition of terms within a table (reminiscent of a union-find data structure) mapping terms to representatives. Roughly speaking, a run of this algorithm consists in transforming equations into substitutions using solvers, then applying substitutions to representatives and reducing the latter to normal forms by the use of canonizers so that new equations can be directly drawn from the table. A central point for this method to be effective is that representatives have to be themselves terms. As a consequence, the main operations of the algorithm, substitution application, normal form reduction and equation resolution, have to be directly implemented on term data structures, which is not the best efficient way of implementing a decision procedure 1 (e.g. a term data structure is obviously not optimal to manipulate polynomials). However, relaxing this constraint has strong impacts on the design of the method. Indeed, bringing a representative into a normal form amounts to traversing its syntactic structure for applying the canonizers on interpreted subterms. This global canonization is at the heart of the method and it also guarantees the incrementality of the algorithm. In this paper, we present an algorithm, called CC(X) (for congruence closure modulo X), which combines the theory E with a union X of solvable theories without using canonizers. This algorithm is presented as a set of two inference rules. It uses abstract values as representatives allowing efficient data structures for substitution and normalization operations. Since global canonization is no longer possible, incrementality of the algorithm is not obtained for free. We thus present a new incremental technique whose main originality is that it is clearly separated from the congruence closure part of the system: two extra rules are added to the system while keeping the original set intact. As a last remark, as shown in [2], solvers for first order theories almost never combine. However, while this is out of the scope of this paper, we claim that solvers for typed theories (under certain restrictions) can be combined. Therefore, CC(X) sticks with the original spirit of Shostak s method by combining the theory E with only one theory X. We will be briefly discuss this point at the end of the paper. 2 Congruence Closure Modulo X In this section, we present an extension of a congruence closure algorithm capable of combining the theory of equality with uninterpreted function symbols and another theory X that underlies certain restrictions. In the rest of this paper, Σ denotes the set of all symbols, including interpreted and uninterpreted symbols. 1 It is also good to note that this constraint is not imposed by the Nelson-Oppen approach.

21 2.1 The Theory X While solvers and canonizers of Shostak theories operate on terms directly, the theory X we are about to introduce works on a certain set R, whose elements are called semantical values. The main particularity is that we don t know the exact structure of these values, only that they are somehow constructed out of terms. To compensate, we dispose of two functions [ ] : T(Σ) R and leaves : R P f (T(Σ)) which are reminiscent of the variable abstraction mechanism found in Nelson-Oppen method: Definition 2.1 We call a theory X a tuple (Σ X,R,= X ), where Σ X Σ is the set of function symbols interpreted by X, R is a set (of semantical values) and = X is a congruence relation over terms, = X T(Σ) T(Σ). Additionally, a theory X has the following properties: There is a function [ ] : T(Σ) R to construct a semantical value out of a term. For any set E of equations between terms we write [E] for the set {[x] = [y] x = y E}. There is a function leaves : R P f (T(Σ)), where the elements of P f (T(Σ)) are finite sets of terms. It returns the set of maximal uninterpreted terms a given semantical value consists of. There is a function subst : T(Σ) R R R. Instead of subst(p,p,r) we write r {p P}. The pair (p, P) is called a substitution and subst(p, P, r) is the application of a substitution to r. There is a (partial) function solve : R R T(Σ) R. Let E R be the set of equations between elements of R. There is a relation = P(E R ) R R whose intention is the following: If the equalities e 1,...,e n E R imply that r 1 equals r 2, we write {e 1,...,e n } = r 1 = r 2. For /0 = e we write = e. As we will often talk about successive substitutions, we define an auxiliary function that does just that: Definition 2.2 There is a function iter : P(R R ) R R that applies subst successively in the following way: iter(/0, r) = r iter((r 1,r 2 ) S,r 3 ) = r 3 {p P} where r i = iter(s,r i) and (p,p) = solve(r 1,r 2 ). In addition to definition 2.1, a theory X must fulfill the following axioms: Axiom 2.3 For any r 1,r 2,P R, p T(Σ), solve(r 1,r 2 ) = (p,p) r 1 {p P} r 2 {p P}.

22 Axiom 2.4 [E] = [u] = [v] u = E,X v, where = E,X denotes the equational theory defined by E X. Axiom 2.5 For any S P(R R ) and any r R, we have S = iter(s,r) = r. Let us explain this a little bit. First of all, as we will see in section 2.2, the algorithm establishes and maintains equivalence classes over terms. Every equivalence class is labeled by an element of the set R ; a function : T(Σ) R is maintained that for each term returns its current label. The function solve is capable of solving an equation between two elements of R, that is, it transforms an equation r 1 = r 2 for r 1,r 2 R into the substitution (p,p), with p T(Σ) and P R, where the term p is now isolated. Axiom 2.3 makes sure that such a substitution renders equal the two semantical values r 1 and r 2, which are at the origin of this substitution. Finally, R comes also with a notion of implication of equalities, the relation =. Axiom 2.4 just states that, if a set [E] of equations between semantical values implies an equation [u] = [v], then u = E,X v, that is, an equality on the theory side implies an equality between corresponding terms. The last axiom states that iterated substitution iter behaves well with respect to this implication relation: If r has been obtained from r by iterated substitution, then the equations at the origin of these substitutions imply the equality r = r (axiom 2.5). As a last remark, we have given the interface of a theory X in a slightly less general fashion as was possible: depending on the theory, the function solve may as well return a list of pairs (p i,p i ) with p i T(Σ),P i R. It becomes clear why we call this a substitution: the p i can be seen as variables, that, during the application of a substitution, are replaced by a certain (theory) term. However, for the example presented in the next section, solve always returns a single pair, if it succeeds at all. Thus, we will stick with the simpler forms of solve and subst. The following proposition is a simple, but useful, consequence of the axioms stated above. It will be used in the soundness proof. It simply states that, if semantical values constructed with [ ] are equal, the original terms were already equal with respect to X. Proposition 2.6 For any terms x,y T(Σ), [x] [y] x = X y. 2.2 The Algorithm CC(X) The algorithm works on tuples (configurations) Γ Φ, where Γ is a mapping from semantical values to sets of terms, a mapping from terms to semantical values and Φ a set of equations between terms. Given the input set E of equations and a query (an equation) Q for which we want to solve the word problem, the algorithm starts in an initial configuration K 0 = Γ E,Q 0 E, where 0 (t) = [t] for all t T(Σ). Let T E,Q be the set of all terms and subterms that occur in E or Q. Γ E,Q, intuitively, maps each semantical value to the terms that contain it directly, it is defined as follows: Γ E,Q (r) = { f(t 1,...,t n ) T E,Q t. t leaves([t i ]) and r = [t] for some i}.

23 Γ {a = b} Φ CONGR Γ Γ Φ (a) (b) Φ where, (p, P) = solve( (a), (b)) (l) Γ( (l))γ = [ l leaves(p) Γ([p]) t T(Σ), (t) := (t){p P} f( u) Γ([p]) Φ = f( u) = f( v) f( v) Γ([p]) S t p leaves( (t)) ( u) ( v) S l leaves( (t)) Γ( (l)) REMOVE Γ {a = b} Φ (a) (b) Γ Φ Figure 1: The rules of the congruence closure algorithm CC(X) In Figure 1, we describe our algorithm CC(X) as two inference rules operating on configurations. At any time, Φ represents the equations that still have to be treated, denotes the structure that can tell us if two terms are known to be equal (it can be seen as the f ind function of a union-find data structure), and Γ stocks the information of what terms have to be considered for congruence. The semantical value (t), for t T(Σ) is also called representative of t. Figure 1 also uses an abbreviation: We sometimes write u for u 1,...,u n, where n is clear from the context. We also write ( u) ( v) for the equivalences (u 1 ) (v 1 ),..., (u n ) (v n ). If t 1 Γ( (t 2 )) for t 1,t 2 T(Σ), we also say t 1 is used by t 2, or t 2 uses t 1. We now have all the necessary elements to understand the rules. We first explain the second rule, because it is simpler: REMOVE just chooses an equation in Φ, checks if it is already known to be true (by the help of ), and, if this is the case, discards it. The rule CONGR is more complex. It also chooses an equation in Φ, one that is not already known to be true. This equation a = b with a, b T(Σ) is transformed into an equation in R, (a) = (b), and then solved in the theory X, which yields a term p and a semantical value P. The term p is then substituted by P in all representatives. Then, Γ is updated according to these substitutions: the terms that used p before now also use all the terms t leaves(p). Finally, a set Φ of new equations is calculated, which is added to the set Φ of the equations to be treated. The set Φ is calculated in the following way: The left hand side of any equation in Φ is a term that used p, and the right hand side is either a term that used p, or a term that used a term l leaves( (t)) for a term t for which p leaves( (t)).

24 this rather complicated condition assures that only concerned terms are considered for congruence. As the name implies, the CONGR rule will only add equations of the form f(t 1,...,t n ) = f(t 1,...,t n), where the corresponding subterms are already known to be equal: (t i ) (t i ), 1 i n. 2.3 Incrementality The backtracking search underlying the architecture of SMT solver enforces an incremental treatment of the set of ground equations. Indeed, for efficiency reasons, equations are given one by one by the SAT solver to decision procedures which prevent them from realizing a global preliminary treatment, unless restarting the congruence closure from scratch. We present in this section an incremental version of our algorithm where the set Φ is now considered as a sequence of equations and queries between closed terms. A query u? = v of Φ is valid if and only if u = Φ v where Φ is the set of equations of Φ occurring before the query. Taking the sequential aspect of Φ into account amounts to replace the union of sets ( and ) by a sequence operator ; for the third component of the configurations in the rules CONGR and REMOVE of figure 1. In the sequential case, T Φ is not known at the beginning of the algorithm. Hence Γ Φ is empty at the beginning and it has to be constructed step by step from the sequence Φ. However, this is not sufficient. Indeed, suppose for instance that Φ is the sequence a = b; f(a) = t; f(b) = u. Then, the instance CC(Empty) 2 will fail to prove that t = u since the equality a = b is processed too early, when f(a) and f(b) are not yet in the structure Γ, thus preventing the congruence closure. This problem is fixed by the rule ADD, described in figure 2, which determines the new equalities that can be propagated by congruence when processing a new term. For example, processing the term f(b) in f(b) = u will update Γ and add f(a) = f(b) to Φ which will eventually trigger the CONGR rule. We also add an extra rule QUERY to validate queries. 3 Example In this section, we present the theory of linear arithmetic over the rationals as an interesting example of instantiation of CC(X). This theory corresponds to the tuple ({+,,/,,succ,0},r,= A ) with the following remarks: The interpreted function symbols are +,,/,, succ and 0. The semantical values are polynomials of the form c 0 + n i=1 2 where Empty stands for the empty theory. c i t i, c i Q,t i T(Σ),c i 0.

25 Γ v a{ (v) C v } C[ f( a)];φ ADD Γ Φ Γ( ( f( a))) = ;C[ f( a)];φ where C[ f( a)] denotes an equation or a query containing the term f( a) Γ = Γ ([ f( a)] {}) { (l) { f( a),γ( (l))} l L( ( a))} with { Φ = f( a) = f( b) l L ( a). f( b) Γ ( (l)) and ( a) = ( b) } where L ( a) = S v a leaves( (v)) QUERY Γ { (a) A, (b) B} a? = b;φ Γ { (a) A, (b) B} Φ (a) = (b) Figure 2: Adding Incrementality From an implementation point of view, these polynomials can be represented as pairs where the left component represents c 0 and the right component is a map from terms to rationals that represents the sum n i=1 c it i. In the rest of the example, these semantical values are simply written in standard mathematical notation, for the sake of readability. = A is just the usual equality over the rational expressions. The functions needed by the algorithm are defined as follows: The function [ ] interprets the above function symbols as usual and constructs polynomials accordingly. The function leaves just returns the set of all the base terms in the polynomial: ( leaves c 0 + n i=1 c i t i ) = {t i 1 i n}. For the term t and the polynomials p 1, p 2, subst(t, p 1, p 2 ) replaces the term t by the polynomial p 1 in p 2, if t occurs in p 2. For two polynomials p 1, p 2 R, solve(p 1, p 2 ) is simply the Gauss algorithm that solves the equation p 1 = p 2 for a certain term occurring in p 1 or p 2. = is again just the entailment relation in linear arithmetic. If we admit the soundness of the [ ] function and the Gauss algorithm used in solve, the axioms that need to hold are trivially true.

26 Theorem 3.1 The functions defined above satisfy the axioms We now want to show the execution of the non-incremental algorithm by an example in arithmetic. Consider therefore the set of equations E = {g(x+k) = a,s = g(k),x = 0} and we want to find out if the equation s = a follows. The algorithm will start in a configuration Γ E,Q 0 E, where 0 is is defined as usual and Γ E,Q is the following function, defined for all the terms occurring in E or the query: [t] Γ E,Q ([t]) x {x+k,g(x+k)} a /0 k {x+k,g(k),g(x+k)} s /0 0 /0 g(k) /0 g(x+k) /0 x+k g(x+k) The application of the CONGR rule to the first equation g(x + k) = a yields K 1 = Γ 1 1 Φ 1. solve has to solve the equation g(x+k) = a and just returns (for example) p = g(x + k) and P = a. 1 is updated to 1 (g(x + k)) = a, but is otherwise left unchanged w.r.t. 0. As Γ E,Q ([p]) = Γ E (g(x+k)) = /0, Γ 1 = Γ E,Q and Φ 1 = E \ {g(x+k) = a}. The next equation to be treated is s=g(k). The resulting tuple K 2 = Γ 2 2 Φ 2 again does not change, with the exception that 2 (s)=g(k) and Φ 2 = Φ 1 \{s = g(k)}. The interesting equation is x = 0. The following table shows the changes between 2 and 3, knowing that p = x and P = 0: t 2 (t) 3 (t) 2 (t){x 0} x x 0 g(x+k) a a s g(k) g(k) x+k x+k k It is important to see, that the representative of x + k has changed, even if the term was not directly involved in the equation that was treated. We also have Γ 3 (0) = {x+k,g(x+k)}, that means, 0 is now used by the same terms as x. Finally, new equations are added. Recall that the set of new equations is calculated in the following way (p has been replaced by x): Φ f( u) Γ([x]), = f( u) = f( v) f( v) Γ([x]) S S t x leaves( (t)) l leaves( (t)) Γ( (l)), ( u) ( v)

27 To calculate this set, we first collect the terms that use x: Γ 2 ([x]) = Γ E,Q ([x]) = {x+k,g(x+k)}. The elements of Γ 2 ([x]) are potential lhs of new equations. To calculate the set of potential rhs, we first construct the set of terms t such that the representative of t contains x: {t x leaves( 2 (t))} = {x,x+k}, and, for every term t in this set, we calculate leaves( 3 (t)) and merge all these sets, which gives [ leaves( 3 (t)) = {0,k} t x leaves( 2 (t)) and, if for each term l in this set, we calculate Γ 2 ([l]) and merge these sets, we obtain [ [ Γ 2 ([l]) = {x+k,g(k),g(x+k)}. t x leaves( 2 (t)) l leaves( 3 (t)) If we cross this set with the set Γ 2 ([x]) and filter the equations that are not congruent, we obtain three new equalities Φ 3 = {x+k = x+k,g(x+k) = g(x+k),g(x+k) = g(k)}. The first two equations get immediately removed by the REMOVE rule. After treatment of the last one, without explicitly writing all the steps down, we will obtain that 4 (t) g(k) 4 (a), which lets us conclude that s = a is indeed a consequence of E. 4 Implementation An efficient Ocaml implementation of CC(X) exists and is at the heart of the Ergo automated theorem prover [1]. This implementation uses only purely functional data-structures and directly follows the three inference rules presented so far. In order to check the scalability of our algorithm, we benchmarked Ergo and three others provers on our test suite: 1349 verification conditions automatically generated by the VCG Caduceus/Why from 61 C programs. They were run with a fixed timeout of 20s on a machine with Xeon processors (3.20 GHz) and 2 Gb of memory. For this benchmark, CC(X) is instantiated with the theory of linear arithmetic. As shown by the results in Figure 3, the current experimentations are very promising with respect to speed and to the number of goals automatically solved. However, the benchmarks also contain logical connectives and quantifiers, not handled by CC(X). So, strictly speaking, Figure 3 only proves that CC(X) is sufficiently fast to let Ergo compete with Yices and Simplify.

28 valid timeout unknown Simplify 98% 1% 1% Yices 95% 2% 3% Ergo 95% 4% 1% CVC-Lite 67% 30% 3% Figure 3: Comparison between Ergo, Simplify, Yices and CVC-Lite on 1349 verification conditions. 5 Conclusion and Future Works We have presented a new algorithm CC(X) which efficiently combines the theory of equality over uninterpreted function symbols with solvable theories. Our method is reminiscent of Shostak s algorithm. Its main novelty rests on the use of abstract data structures for class representatives that allows efficient implementations of crucial operations. The soundness proof of our algorithm is given in appendix. Its completeness is current work; obviously, this will require some additional assumptions on the theory X which may be expressed as properties of the functions given in Definition 2.1. CC(X) has been implemented in Ocaml as a functor parameterized by a theory module whose signature is the one given in section 2.1. CC(X) is at the core of the Ergo theorem prover. Since practice often arrives before theory, a number of extra features of CC(X) have already been implemented in Ergo. We leave for future work their formalization and correctness proofs: A functor CombineX(X1,X2) combines two theory modules X1 and X2, allowing CC(X) to combine several solvable theories. This combination only works for (polymorphic) typed theories under certain restrictions. Predicate symbols are already handled by CC(X). Their treatment smoothly integrate to the all framework. CC(X) has been instrumented to produce explications so that the SAT solver part of Ergo can benefit from them for its backjumping mechanism. Another direction is to prove the prover in a proof assistant. Indeed, Ergo uses only purely functional data-structures, is highly modular and very concise ( 3000 lines of code). All these features should make a formal certification feasible. References [1] S. Conchon and E. Contejean. The Ergo automatic theorem prover. http: //ergo.lri.fr/.