Decidable fragments of first-order logic, and combinations Pascal - - PowerPoint PPT Presentation

Decidable fragments of first-order logic, and combinations

Pascal Fontaine GF joint work with Carlos Areces

Loria, INRIA, Université de Nancy (France)

DECERT, June 28-29, 2010

DECERT, June 28-29, 2010 1 / 1

Introduction

Context / Motivation

Formal verification of models (B, TLA+,. . . ) generate proof

• bligations

SMT solvers can increase automation for formal verification platforms Proof obligations heavily use sets, relations,. . . Extend the language of SMT solvers with operators for sets, relations,. . .

DECERT, June 28-29, 2010 2 / 1

Introduction

Extending the language of SMT (1/2)

SMT + Syntactic sugar:

• perator

Definition ∈ λxp. p(x) ∩ λpq. λx. p(x) ∧ q(x) \ λpq. λx. p(x) ∧ ¬q(x) ⊆ λpq. ∀x. p(x) → q(x) . . . . . .

a = b ∧ ({f(a)} ∪ E) ⊆ A ∧ f(b) ∈ C ∧ A ∪ B = C ∩ D becomes a = b ∧ ∀x[(x = f(a) ∨ E(x)) → A(x)] ∧ ¬C(f(b)) ∧ ∀x. [A(x) ∨ B(x)] ≡ [C(x) ∧ D(x)]

DECERT, June 28-29, 2010 3 / 1

Introduction

Extending the language of SMT (1/2)

SMT + Syntactic sugar:

• perator

Definition ∈ λxp. p(x) ∩ λpq. λx. p(x) ∧ q(x) \ λpq. λx. p(x) ∧ ¬q(x) ⊆ λpq. ∀x. p(x) → q(x) . . . . . .

a = b ∧ ({f(a)} ∪ E) ⊆ A ∧ f(b) ∈ C ∧ A ∪ B = C ∩ D becomes a = b ∧ ∀x[(x = f(a) ∨ E(x)) → A(x)] ∧ ¬C(f(b)) ∧ ∀x. [A(x) ∨ B(x)] ≡ [C(x) ∧ D(x)]

DECERT, June 28-29, 2010 3 / 1

Introduction

Extending the language of SMT (2/2)

Formula F is on the language of our favorite SMT solver (for theory T ), but also contains basic operations on sets Study the satisfiability of a quantifier-free formula F′ in T ∪ TFOL Just basic operations on sets: TFOL is monadic Basic operations on relations: TFOL is BSR ∃∗∀∗ϕ (ϕ function- and quantifier-free) TFOL depends on F Goal: prove that any theory TFOL in monadic class (or BSR) is combinable with T

DECERT, June 28-29, 2010 4 / 1

Introduction

Decidable first-order classes

Some well-known decidable first-order classes Restriction on arities: monadic Restriction on quantifier alternation: Ackermann (∃⋆∀∃⋆), Bernays-Schönfinkel-Ramsey (∃⋆∀⋆) Restriction on number of variables: 2 variables fragment Restriction on use of quantifiers: The guarded fragment(s) The theories from those classes can be combined with (nearly) any disjoint decidable theory

DECERT, June 28-29, 2010 5 / 1

Combining disjoint decision procedures

Combining disjoint decision procedures (1)

A combination of disjoint languages: L =

• x ≤ y, y ≤ x + f(x), P(h(x) − h(y)), ¬P(0), f(x) = 0
• uninterpreted symbols (P, f, h), and arithmetic (+, −, ≤, 0).

Combination of disjoint decision procedures Combination of the empty theory and theory for linear arithmetic (both stably-infinite) Separation using new variables: L1 =

• x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0
• L2

=

• P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y)
• .

L and L1 ∪ L2 both satisfiable or both unsatisfiable.

DECERT, June 28-29, 2010 6 / 1

Combining disjoint decision procedures

Combining disjoint decision procedures (2)

Cooperation by exchanging equalities:

L1 = {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0} L2 = {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y)}

From L1, x = y:

L1 = {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0} L′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y}

From L′

2, v3 = v4:

L′

1

= {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0, v3 = v4} L′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y}

From L′

1, v2 = v5:

L′

1

= {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0, v3 = v4} L′′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y, v2 = v5}

L′′

2 is unsatisfiable.

DECERT, June 28-29, 2010 7 / 1

Combining disjoint decision procedures

Combining disjoint decision procedures (2)

Cooperation by exchanging equalities:

L1 = {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0} L2 = {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y)}

From L1, x = y:

L1 = {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0} L′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y}

From L′

2, v3 = v4:

L′

1

= {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0, v3 = v4} L′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y}

From L′

1, v2 = v5:

L′

1

= {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0, v3 = v4} L′′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y, v2 = v5}

L′′

2 is unsatisfiable.

DECERT, June 28-29, 2010 7 / 1

Combining disjoint decision procedures

Combining disjoint decision procedures (2)

Cooperation by exchanging equalities:

L1 = {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0} L2 = {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y)}

From L1, x = y:

L1 = {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0} L′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y}

From L′

2, v3 = v4:

L′

1

= {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0, v3 = v4} L′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y}

From L′

1, v2 = v5:

L′

1

= {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0, v3 = v4} L′′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y, v2 = v5}

L′′

2 is unsatisfiable.

DECERT, June 28-29, 2010 7 / 1

Combining disjoint decision procedures

Combining disjoint decision procedures (2)

Cooperation by exchanging equalities:

L1 = {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0} L2 = {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y)}

From L1, x = y:

L1 = {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0} L′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y}

From L′

2, v3 = v4:

L′

1

= {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0, v3 = v4} L′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y}

From L′

1, v2 = v5:

L′

1

= {x ≤ y, y ≤ x + v1, v1 = 0, v2 = v3 − v4, v5 = 0, v3 = v4} L′′

2

= {P(v2), ¬P(v5), v1 = f(x), v3 = h(x), v4 = h(y), x = y, v2 = v5}

L′′

2 is unsatisfiable.

DECERT, June 28-29, 2010 7 / 1

Combining disjoint decision procedures

Combining disj. DPs : “unsatisfiable” scenario

deduced (disj. of) equality deduced (disj. of) equality deduced (disj. of) equality

• Dec. Proc. 2
• Dec. Proc. 1

UNSAT

Sound : every deduced fact is a consequence of the original set of formulas

DECERT, June 28-29, 2010 8 / 1

Combining disjoint decision procedures

Combining disj. DPs : “satisfiable” scenario

deduced (disj. of) equality deduced (disj. of) equality deduced (disj. of) equality

• Dec. Proc. 2
• Dec. Proc. 1

No more deducible (disj. of) eq. Model 1 Model 2 Model 1 + 2

Really SAT? (Complete?) all disjunctions of equalities propagated models agree on cardinalities

DECERT, June 28-29, 2010 9 / 1

Combining disjoint decision procedures

Combining disj. DPs : “satisfiable” scenario

deduced (disj. of) equality deduced (disj. of) equality deduced (disj. of) equality

• Dec. Proc. 2
• Dec. Proc. 1

No more deducible (disj. of) eq. Model 1 Model 1 + 2 Model 2

Really SAT? (Complete?) all disjunctions of equalities propagated models agree on cardinalities

DECERT, June 28-29, 2010 9 / 1

Combining disjoint DPs: studying cardinalities

Cardinality agreement: spectrum intersection (1/2)

Spectrum for set of formulas set of cardinalities of the models

deduced (disj. of) equality deduced (disj. of) equality deduced (disj. of) equality

• Dec. Proc. 2
• Dec. Proc. 1

No more deducible (disj. of) eq. Model 1 Model 1 + 2 Model 2 Spectrum S2 Spectrum S1 ∩ S2 Spectrum S1

Computing the intersection

• f the spectrums should be

possible

DECERT, June 28-29, 2010 10 / 1

Combining disjoint DPs: studying cardinalities

Cardinality agreement: spectrum intersection (2/2)

Classifying theories according to spectrums: stably infinite: if non-empty, then contains ℵ0 gentle: ∅

• r

S

• r

{κ | κ ≥ k} ∪ S shiny: ∅

• r

{κ | κ ≥ k} with k ∈ N, S an arbitrary finite set of finite cardinalities Notice: shiny is gentle and stably infinite stably infinite does not imply shiny, nor gentle Linear arithmetic on integers: stably infinite, not shiny, not gentle gentle does not imply shiny, nor stably infinite ∀x . x = a ∨ x = b: gentle, not shiny, not stably infinite

DECERT, June 28-29, 2010 11 / 1

Combining disjoint DPs: studying cardinalities

Cardinality agreement: stably infinite theories

• Dec. Proc. 2

. . . Model 1 Model 1 + 2 Model 2

• Dec. Proc. 1

stably infinite stably infinite

ℵ0 ∈ S2 ℵ0 ∈ S1 ℵ0 ∈ S1 ∩ S2

The cardinality agreement is trivially fulfilled if both theories are stably infinite if both sides are satisfiable, then there exists a model with cardinality ℵ0

DECERT, June 28-29, 2010 12 / 1

Combining disjoint DPs: studying cardinalities

Cardinality agreement: shiny theories

• Dec. Proc. 2

. . . Model 1 Model 2

• Dec. Proc. 1

arbitrary shiny

Add {ai = aj | 1 ≤ i < j ≤ k} Model 1’ Model 1’ + 2 S2 = {κ |κ ≥ k} k′ ∈ S1′ ∩ S2 k′ ∈ S1′ (k′ ≥ k)

A shiny theory does not impose any condition on the other theory compute shiny spectrum the other side still satisfiable with cardinality larger than lower bound?

DECERT, June 28-29, 2010 13 / 1

Combining disjoint DPs: studying cardinalities

Cardinalities and the FOL guarded fragments

Guarded fragments Every quantifier occurrence should be of the form ∀x . γ(x, y) → ϕ(y) or ∃x . γ(x, y) ∧ ϕ(y) in its less liberal version (GF), γ is an atom (conjunction of atoms for LGF, conjunction of atoms and quantified atoms for PGF)

GF, LGF, PGF have the finite model property GF, LGF, PGF are shiny!

Proof sketch:

take a model add an element that makes every guard false the new interpretation is also a model the spectrum is thus {κ | κ ≥ k}

DECERT, June 28-29, 2010 14 / 1

Combining disjoint DPs: studying cardinalities

Cardinality agreement: gentle theories

• Dec. Proc. 2

. . . Model 1 Model 2

• Dec. Proc. 1

arbitrary

Add {ai = aj | 1 ≤ i < j ≤ k}

gentle

Model 1’ Model 1’ + 2 S2 = S ∪ {κ |κ ≥ k} k′ ∈ S1′ (k′ ≥ k) k′ ∈ S1′ ∩ S2

compute gentle spectrum try the shiny trick if it does not work. . . . . . check individual cardinalities in S gentle theories combinable with “nearly” any other theory

DECERT, June 28-29, 2010 15 / 1

Combining disjoint DPs: studying cardinalities

Cardinality agreement: gentle theories

UNSAT

• Dec. Proc. 2

. . . Model 1 Model 2

• Dec. Proc. 1

arbitrary

Add {ai = aj | 1 ≤ i < j ≤ k}

gentle

S2 = S ∪ {κ |κ ≥ k}

compute gentle spectrum try the shiny trick if it does not work. . . . . . check individual cardinalities in S gentle theories combinable with “nearly” any other theory

DECERT, June 28-29, 2010 15 / 1

Combining disjoint DPs: studying cardinalities

Cardinality agreement: gentle theories

• Dec. Proc. 2

. . . Model 1 Model 2

• Dec. Proc. 1

arbitrary gentle

Model 1’ Model 1’ + 2 S2 = S ∪ {κ |κ ≥ k} S1′ = {k′} S1′ ∩ S2 = {k′} Add “cardinality is k′ ∈ S”

compute gentle spectrum try the shiny trick if it does not work. . . . . . check individual cardinalities in S gentle theories combinable with “nearly” any other theory

DECERT, June 28-29, 2010 15 / 1

Combining disjoint DPs: studying cardinalities

Cardinality agreement: gentle theories

• Dec. Proc. 2

. . . Model 1 Model 2

• Dec. Proc. 1

arbitrary gentle

Model 1’ Model 1’ + 2 S2 = S ∪ {κ |κ ≥ k} S1′ = {k′} S1′ ∩ S2 = {k′} Add “cardinality is k′ ∈ S”

compute gentle spectrum try the shiny trick if it does not work. . . . . . check individual cardinalities in S gentle theories combinable with “nearly” any other theory

DECERT, June 28-29, 2010 15 / 1

Combining disjoint DPs: studying cardinalities

Cardinalities and other decidable fragments

Bernays-Schönfinkel-Ramsey: ∃∗∀∗ϕ (ϕ function- and quantifier-free) two-variables relational fragment monadic first-order logic all have following property (pumping theorem) for every theory T , there is a computable k(T ) s. t. if there is a model

• f cardinality ≥ k(T ), there is a model of every cardinality ≥ k(T ).

The set of cardinalities is the finite or cofinite set: ST ∪

• κ | κ is a cardinality ∧ κ ≥ k(T )
• with ST ⊂ N computable and finite, and k(T ) computable (T is gentle).

DECERT, June 28-29, 2010 16 / 1

Combining disjoint DPs: studying cardinalities

Cardinalities and other decidable fragments (2)

Pumping theorem: for every theory T , there is a computable k(T ) s. t. if there is a model

• f cardinality ≥ k(T ), there is a model of every cardinality ≥ k(T ).

For instance, T is a Löwenheim theory (other classes are “similar”) assume there is no constant in T (can be relaxed) n is the number of predicates q is the number of imbricated quantifiers there are 2n different configurations (tables, types) for elements of the domain with respect to the n predicates if there exists a model with cardinality ≥ q 2n then there should be ≥ q elements with the same configuration any such element can be duplicated, to infinity proved by induction on the structure of formulas in T

DECERT, June 28-29, 2010 17 / 1

Combining disjoint DPs: studying cardinalities

Combination “in practice”

While combining a BSR, Monadic, or 2-variables theory T1 with another theory T2 first propagate all (disjunctions of) equalities if still satisfiable, compute the set of cardinalities for T1 ∪ L1 if the set is finite, check every cardinality against T2 ∪ L2 if the set is infinite,

check every cardinality < k against T2 ∪ L2 check if T2 ∪ L2 accepts a cardinality ≥ k by checking the satisfiability of T2 ∪ L2 ∪ {ai = aj | 0 < i, j ≤ k} where ais are new constants

if one cardinality is acceptable for T2 ∪ L2, then the original problem is satisfiable. Otherwise it is not.

DECERT, June 28-29, 2010 18 / 1

Conclusions

Conclusion and future works

veriT includes FOL ATP (currently E, also Spass in the future) Saturation provers are (or can be turned into) decision procedures for decidable FOL fragments Long term goal: raise the degree of completeness of the combination SMT+FOL Future works: Ackermann There exist extensions: µGF, Rabin (Monadic + 1 unary function), Shelah (Ackermann + 1 unary function) non-disjoint case: sharing unary symbols how can we really turn this into something usable? Negotiation of cardinality

DECERT, June 28-29, 2010 19 / 1