Title: Clark W. Barrett
1A Framework for Cooperating Decision Procedures
- Clark W. Barrett
- David L. Dill
- Aaron Stump
Computer Systems Laboratory Stanford University
2Outline
- Motivation
- The Framework
- Correctness of the Framework
- Using the Framework
- Conclusions
3The Need for Decision Procedures
- Many interesting and practical problems can be
expressed as problems in a decidable theory. - General purpose decision procedures can save time
and effort when approaching new problems. - Decision procedures have been used in theorem
proving, model checking, symbolic simulation,
system specification, and other applications,
many of which were unanticipated.
4The Stanford Validity Checker (SVC)
- This work is a result of ongoing attempts to
improve the decision procedures of SVC. - Despite theoretical and architectural weaknesses,
SVC has been surprisingly successful. - Our goals with SVC include the following
- Provably correct,
- Adequately expressive, yet still decidable,
- Flexible and easy to extend,
- Maximum performance.
5SVC Core Cooperating Decision Procedures
- Suppose are decidable theories,
with disjoint signatures - Let and
- ? is a quantifier-free formula in the language of
?. - Is ? satisfiable in the theory
6Cooperating Decision Procedures
- Two main approaches
- Nelson and Oppen 79
- Shostak 84
- Original papers are confusing and incomplete.
- Tinelli Harandi 96
- Cyrluk et al. 96, Shankar Ruess 00
- This work seeks to unify and further clarify
these two approaches.
7Outline
- Motivation
- The Framework
- Correctness of the Framework
- Using the Framework
- Conclusions
8Preliminaries
- Expressions
- DAG representation of terms and formulas.
- Operator applied to 0 or more children.
- Union-Find
- Each expression (including Boolean constants true
and false) belongs to an equivalence class with a
unique representative. - Find(x) returns the equivalence class
representative of x. - Union(x,y) merges the equivalence classes
associated with x and y and makes y the new
representative.
9Framework Interface
- AddFormula(?) (? a literal in ? )
- C C ? ? (Initially, C Ø)
- Satisfiable()
- Returns TRUE iff Find(true) ? Find(false).
- Satisfiability of an arbitrary formula ? in ? is
determined by converting ? to DNF and then
testing each conjunct for satisfiability.
10The Framework
?
?
?
?
Propagate
t
t
ab
a,b
t
ab
t
t
Theory-specific code
11AddFormula and Assert
- Assert(?) processes the formula ? by first
simplifying it and then calling Merge. - AddFormula is a wrapper around Assert which
allows each theory to assert new facts.
Assert(?) ? Simplify(?) IF ? not an
equation THEN ? (? true)
Merge(?)
AddFormula(?) Assert(? ) REPEAT
FOREACH theory i DO Propagate(i)
UNTIL no change
12The Framework
?
?
?
?
Propagate
t
t
ab
a,b
t
ab
t
t
Theory-specific code
13Simplify and Rewrite
- Simplify returns an expression which is
equivalent in the current context. - Recursively replaces each sub-expression with its
equivalence class representative. - Applies theory-specific rewrites.
Simplify(?) IF Find(?) THEN RETURN
Find(?) ? Simplify each child of ? ?
Rewrite(?) RETURN ?
Rewrite(t) t TheoryRewrite(t) IF t ?
t THEN t Rewrite(t) RETURN t
14The Framework
?
?
?
?
Propagate
t
t
ab
a,b
t
ab
t
t
Theory-specific code
15Setup and Merge
- Merge records that two expressions a and b are
equal by merging their equivalence classes. - Calls Setup on each expression.
- Notifies theories that care about a.
Merge(ab) Setup(a)Setup(b) Union(a,b)
FOREACH ltf,dgt?a.notify Call f(ab,d)
Setup(t) IF Find(t) THEN RETURN FOREACH
child c Setup(c) TheorySetup(c) Find(c)
c
16A Simple Example
Find(a) b
a b
a b
a b
a b
true
a b
b b
b b
true
b b ? true
17Outline
- Motivation
- The Framework
- Correctness of the Framework
- Using the Framework
- Conclusions
18Approach to Correctness
- Develop a set of preconditions and requirements
that must hold for the framework to be correct. - Prove that, as long as the code associated with
individual theories adheres to these general
requirements, the framework is correct. - Prove the main theorems once, then prove a small
set of theorems each time a theory is added.
19Example Completeness
- Theorem Tinelli et al. 96
- Let T1 and T2 be two disjoint theories and let
?1 be a formula in the language of T1 and ?2 a
formula in the language of T2. - Let V be the set of their shared variables and
let ?(V) be an arrangement of V. - If ?1 ? ?(V) is satisfiable in T1 and
- ?2 ? ?(V) is satisfiable in T2, then
- ?1 ? ?2 is satisfiable in T1 ?T2.
20Example Completeness
- Every formula recorded by Merge is associated
with an individual theory. - Each theory Ti determines whether the conjunction
of its formulas together with the arrangement of
shared variables induced by the expression
equivalence classes is satisfiable in Ti. - By application of the previous theorem, we can
then determine whether the conjunction of all
formulas recorded by Merge is satisfiable.
21Outline
- Motivation
- The Framework
- Correctness of the Framework
- Using the Framework
- Conclusions
22The Framework
?
?
?
?
Propagate
t
t
ab
a,b
t
ab
t
t
Theory-specific code
23Nelson-Oppen Style Combinations
- Input formulas are transformed into equivalent
formulas, each of which is in a single theory. - Suppose f and g are symbols from two different
theories.
- Each theory must determine whether any equalities
between (shared) variables are entailed by its
formulas and propagate these equalities.
24Our Approach to Nelson-Oppen
- The flexible nature of the framework allows us to
directly implement and prove correctness of a
more efficient algorithm - Dont transform the formulas or introduce new
variables. It is sufficient to partition the
formulas and mark which terms are used by more
than one theory. - Only propagate equalities between terms used by
more than one theory, and only to theories which
use the left side of the equality.
25Nelson-Oppen Example
- Combines three theories
- Uninterpreted functions
- Arithmetic with inequalities
- Arrays
26Nelson-Oppen Example
?
?
?
Propagate
t
ab
t
a,b
t
t
ab
t
Uninterpreted
Arithmetic
Arrays
27Shostak Style Combinations
- More efficient than Nelson-Oppen, but not as
widely applicable. - Only applies to theories which are canonizable
and algebraically solvable. - Input formulas are solved for a single variable.
- No need to propagate equalities.
28Our Approach to Shostak
- Use theory-specific Rewrite code to solve and
canonize formulas. - Both Shostak and Nelson-Oppen style theories can
be integrated in the same framework. - Proof of correctness is easier than in other
treatments of Shostak because we can treat
uninterpreted functions as belonging to a
separate Nelson-Oppen style theory.
29Outline
- Motivation
- The Framework
- Correctness of the Framework
- Using the Framework
- Conclusions
30Conclusions
- What Have We Learned?
- There is a demand for efficient cooperating
decision procedures. - Getting it right is hard.
- A solid theoretical foundation is necessary.
- Future Work
- The next version of SVC is under development.
- New theories.
- Relax restrictions on what kinds of theories can
be integrated.
31Stay tuned
- Visit the SVC home page at http//verify.stanford.
edu/SVC