Decidable fragments of first-order logic, and combinations Pascal - PowerPoint PPT Presentation

Decidable fragments of first-order logic, and combinations Pascal Fontaine GF joint work with Carlos Areces Loria, INRIA, Université de Nancy (France) DECERT, June 28-29, 2010 DECERT, June 28-29, 2010 1 / 1

Introduction Context / Motivation Formal verification of models (B, TLA+,. . . ) generate proof obligations SMT solvers can increase automation for formal verification platforms Proof obligations heavily use sets, relations,. . . Extend the language of SMT solvers with operators for sets, relations,. . . DECERT, June 28-29, 2010 2 / 1

Introduction Extending the language of SMT (1/2) SMT + Syntactic sugar: operator Definition ∈ λ xp . p ( x ) ∩ λ pq . λ x . p ( x ) ∧ q ( x ) \ λ pq . λ x . p ( x ) ∧ ¬ q ( x ) ⊆ λ pq . ∀ x . p ( x ) → q ( x ) . . . . . . a = b ∧ ( { f ( a ) } ∪ E ) ⊆ A ∧ f ( b ) �∈ C ∧ A ∪ B = C ∩ D becomes a = b ∧ ∀ x [( x = f ( a ) ∨ E ( x )) → A ( x )] ∧ ¬ C ( f ( b )) ∧ ∀ x . [ A ( x ) ∨ B ( x )] ≡ [ C ( x ) ∧ D ( x )] DECERT, June 28-29, 2010 3 / 1

Introduction Extending the language of SMT (1/2) SMT + Syntactic sugar: operator Definition ∈ λ xp . p ( x ) ∩ λ pq . λ x . p ( x ) ∧ q ( x ) \ λ pq . λ x . p ( x ) ∧ ¬ q ( x ) ⊆ λ pq . ∀ x . p ( x ) → q ( x ) . . . . . . a = b ∧ ( { f ( a ) } ∪ E ) ⊆ A ∧ f ( b ) �∈ C ∧ A ∪ B = C ∩ D becomes a = b ∧ ∀ x [( x = f ( a ) ∨ E ( x )) → A ( x )] ∧ ¬ C ( f ( b )) ∧ ∀ x . [ A ( x ) ∨ B ( x )] ≡ [ C ( x ) ∧ D ( x )] DECERT, June 28-29, 2010 3 / 1

Introduction Extending the language of SMT (2/2) Formula F is on the language of our favorite SMT solver (for theory T ), but also contains basic operations on sets Study the satisfiability of a quantifier-free formula F ′ in T ∪ T FOL Just basic operations on sets: T FOL is monadic Basic operations on relations: T FOL is BSR ∃ ∗ ∀ ∗ ϕ ( ϕ function- and quantifier-free) T FOL depends on F Goal: prove that any theory T FOL in monadic class (or BSR) is combinable with T DECERT, June 28-29, 2010 4 / 1

Introduction Decidable first-order classes Some well-known decidable first-order classes Restriction on arities: monadic Restriction on quantifier alternation: Ackermann ( ∃ ⋆ ∀∃ ⋆ ), Bernays-Schönfinkel-Ramsey ( ∃ ⋆ ∀ ⋆ ) Restriction on number of variables: 2 variables fragment Restriction on use of quantifiers: The guarded fragment(s) The theories from those classes can be combined with (nearly) any disjoint decidable theory DECERT, June 28-29, 2010 5 / 1

Combining disjoint decision procedures Combining disjoint decision procedures (1) A combination of disjoint languages: � � L = x ≤ y , y ≤ x + f ( x ) , P ( h ( x ) − h ( y )) , ¬ P ( 0 ) , f ( x ) = 0 uninterpreted symbols ( P , f , h ), and arithmetic ( + , − , ≤ , 0 ). Combination of disjoint decision procedures Combination of the empty theory and theory for linear arithmetic (both stably-infinite) Separation using new variables: � � = x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 L 1 � � = P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) L 2 . L and L 1 ∪ L 2 both satisfiable or both unsatisfiable. DECERT, June 28-29, 2010 6 / 1

Combining disjoint decision procedures Combining disjoint decision procedures (2) Cooperation by exchanging equalities: = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 } L 1 L 2 = { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) } From L 1 , x = y : L 1 = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 } L ′ { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y } = 2 From L ′ 2 , v 3 = v 4 : L ′ { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 , v 3 = v 4 } = 1 L ′ { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y } = 2 From L ′ 1 , v 2 = v 5 : L ′ = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 , v 3 = v 4 } 1 L ′′ = { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y , v 2 = v 5 } 2 L ′′ 2 is unsatisfiable. DECERT, June 28-29, 2010 7 / 1

Combining disjoint decision procedures Combining disjoint decision procedures (2) Cooperation by exchanging equalities: = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 } L 1 L 2 = { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) } From L 1 , x = y : L 1 = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 } L ′ { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y } = 2 From L ′ 2 , v 3 = v 4 : L ′ { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 , v 3 = v 4 } = 1 L ′ { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y } = 2 From L ′ 1 , v 2 = v 5 : L ′ = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 , v 3 = v 4 } 1 L ′′ = { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y , v 2 = v 5 } 2 L ′′ 2 is unsatisfiable. DECERT, June 28-29, 2010 7 / 1

Combining disjoint decision procedures Combining disjoint decision procedures (2) Cooperation by exchanging equalities: = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 } L 1 L 2 = { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) } From L 1 , x = y : L 1 = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 } L ′ { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y } = 2 From L ′ 2 , v 3 = v 4 : L ′ { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 , v 3 = v 4 } = 1 L ′ { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y } = 2 From L ′ 1 , v 2 = v 5 : L ′ = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 , v 3 = v 4 } 1 L ′′ = { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y , v 2 = v 5 } 2 L ′′ 2 is unsatisfiable. DECERT, June 28-29, 2010 7 / 1

Combining disjoint decision procedures Combining disjoint decision procedures (2) Cooperation by exchanging equalities: = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 } L 1 L 2 = { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) } From L 1 , x = y : L 1 = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 } L ′ { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y } = 2 From L ′ 2 , v 3 = v 4 : L ′ { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 , v 3 = v 4 } = 1 L ′ { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y } = 2 From L ′ 1 , v 2 = v 5 : L ′ = { x ≤ y , y ≤ x + v 1 , v 1 = 0 , v 2 = v 3 − v 4 , v 5 = 0 , v 3 = v 4 } 1 L ′′ = { P ( v 2 ) , ¬ P ( v 5 ) , v 1 = f ( x ) , v 3 = h ( x ) , v 4 = h ( y ) , x = y , v 2 = v 5 } 2 L ′′ 2 is unsatisfiable. DECERT, June 28-29, 2010 7 / 1

Combining disjoint decision procedures Combining disj. DPs : “unsatisfiable” scenario Dec. Proc. 1 Dec. Proc. 2 deduced (disj. of) equality deduced (disj. of) equality Sound : every deduced fact is a consequence of the original deduced (disj. of) equality set of formulas UNSAT DECERT, June 28-29, 2010 8 / 1

Combining disjoint decision procedures Combining disj. DPs : “satisfiable” scenario Dec. Proc. 1 Dec. Proc. 2 deduced (disj. of) equality Really SAT? (Complete?) deduced (disj. of) equality all disjunctions of equalities propagated deduced (disj. of) equality models agree on No more deducible (disj. of) eq. cardinalities Model 1 Model 2 Model 1 + 2 DECERT, June 28-29, 2010 9 / 1

Combining disjoint decision procedures Combining disj. DPs : “satisfiable” scenario Dec. Proc. 1 Dec. Proc. 2 deduced (disj. of) equality Really SAT? (Complete?) deduced (disj. of) equality all disjunctions of equalities propagated deduced (disj. of) equality models agree on No more deducible (disj. of) eq. cardinalities Model 1 Model 2 Model 1 + 2 DECERT, June 28-29, 2010 9 / 1

Combining disjoint DPs: studying cardinalities Cardinality agreement: spectrum intersection (1/2) Spectrum for set of formulas set of cardinalities of the models Dec. Proc. 1 Dec. Proc. 2 deduced (disj. of) equality deduced (disj. of) equality Computing the intersection deduced (disj. of) equality of the spectrums should be possible No more deducible (disj. of) eq. Model 1 Model 2 Spectrum S 1 Spectrum S 2 Model 1 + 2 Spectrum S 1 ∩ S 2 DECERT, June 28-29, 2010 10 / 1

Combining disjoint DPs: studying cardinalities Cardinality agreement: spectrum intersection (2/2) Classifying theories according to spectrums: stably infinite: if non-empty, then contains ℵ 0 gentle: ∅ { κ | κ ≥ k } ∪ S or S or shiny: ∅ or { κ | κ ≥ k } with k ∈ N , S an arbitrary finite set of finite cardinalities Notice: shiny is gentle and stably infinite stably infinite does not imply shiny, nor gentle Linear arithmetic on integers: stably infinite, not shiny, not gentle gentle does not imply shiny, nor stably infinite ∀ x . x = a ∨ x = b : gentle, not shiny, not stably infinite DECERT, June 28-29, 2010 11 / 1