Deciding the First-Order Theory of an Algebra of Feature Trees with - - PowerPoint PPT Presentation

1/24

Deciding the First-Order Theory

• f an Algebra of Feature Trees with Updates

Nicolas Jeannerod, Ralf Treinen

IRIF , Universit´ e Paris-Diderot

June 25, 2018

2/24

The CoLiS Project

⊲ ANR project with IRIF, Inria Saclay, Inria Lille.

2/24

The CoLiS Project

⊲ ANR project with IRIF, Inria Saclay, Inria Lille. ⊲ Verifying Debian packages

2/24

The CoLiS Project

⊲ ANR project with IRIF, Inria Saclay, Inria Lille. ⊲ Verifying Debian packages:

⊲ A tar archive containing files; ⊲ A few shell scripts.

2/24

The CoLiS Project

⊲ ANR project with IRIF, Inria Saclay, Inria Lille. ⊲ Verifying Debian packages:

⊲ A tar archive containing files; ⊲ A few shell scripts.

⊲ Giving them specifications

2/24

The CoLiS Project

⊲ ANR project with IRIF, Inria Saclay, Inria Lille. ⊲ Verifying Debian packages:

⊲ A tar archive containing files; ⊲ A few shell scripts.

⊲ Giving them specifications:

⊲ Input:

⊲ Environment, ⊲ Execution mode (install, update, removal, purge, ..), ⊲ Input filesystem;

2/24

The CoLiS Project

⊲ ANR project with IRIF, Inria Saclay, Inria Lille. ⊲ Verifying Debian packages:

⊲ A tar archive containing files; ⊲ A few shell scripts.

⊲ Giving them specifications:

⊲ Input:

⊲ Environment, ⊲ Execution mode (install, update, removal, purge, ..), ⊲ Input filesystem;

⊲ Output:

⊲ Success / Error, ⊲ Output filesystem.

2/24

The CoLiS Project

⊲ ANR project with IRIF, Inria Saclay, Inria Lille. ⊲ Verifying Debian packages:

⊲ A tar archive containing files; ⊲ A few shell scripts.

⊲ Giving them specifications:

⊲ Input:

⊲ Environment, ⊲ Execution mode (install, update, removal, purge, ..), ⊲ Input filesystem;

⊲ Output:

⊲ Success / Error, ⊲ Output filesystem.

3/24

Big Picture

Shell

3/24

Big Picture

Shell IL

Translation

3/24

Big Picture

Shell IL

Translation

3/24

Big Picture

Shell IL

Translation

Specifications in Tree Transducers

3/24

Big Picture

Shell IL

Translation

Specifications in Tree Transducers Specifications in Feature Trees

Symbolic Execution

3/24

Big Picture

Shell IL

Translation

Specifications in Tree Transducers Specifications in Feature Trees

Symbolic Execution

4/24

What For?

⊲ Find executions that lead to errors.

⊲ Provide an understandable explanation of why.

4/24

What For?

⊲ Find executions that lead to errors.

⊲ Provide an understandable explanation of why.

⊲ Check properties

4/24

What For?

⊲ Find executions that lead to errors.

⊲ Provide an understandable explanation of why.

⊲ Check properties:

⊲ Script doing nothing: ∀in, out · (specs(in, out) ↔ out . = in)

4/24

What For?

⊲ Find executions that lead to errors.

⊲ Provide an understandable explanation of why.

⊲ Check properties:

⊲ Script doing nothing: ∀in, out · (specs(in, out) ↔ out . = in) ⊲ Equivalence of two scripts: ∀in, out · (specs(in, out) ↔ spect(in, out))

4/24

What For?

⊲ Find executions that lead to errors.

⊲ Provide an understandable explanation of why.

⊲ Check properties:

⊲ Script doing nothing: ∀in, out · (specs(in, out) ↔ out . = in) ⊲ Equivalence of two scripts: ∀in, out · (specs(in, out) ↔ spect(in, out)) ⊲ Script that don’t modify /home: ∀in, out · (specs(in, out) → out[home] = in[home])

4/24

What For?

⊲ Find executions that lead to errors.

⊲ Provide an understandable explanation of why.

⊲ Check properties:

⊲ Script doing nothing: ∀in, out · (specs(in, out) ↔ out . = in) ⊲ Equivalence of two scripts: ∀in, out · (specs(in, out) ↔ spect(in, out)) ⊲ Script that don’t modify /home: ∀in, out · (specs(in, out) → out[home] = in[home]) ⊲ Sequence of scripts that do nothing: ∀in, out · (∃r · (specs(in, r) ∧ spect(r, out)) ↔ out . = in)

5/24

Feature Trees and Update

6/24

Unix Filesystem

/ usr etc lib ⊲ Basically a tree with labelled nodes and edges;

6/24

Unix Filesystem

/ usr etc lib libc.so libc.so.6 ⊲ Basically a tree with labelled nodes and edges; ⊲ There can be sharing at the leafs (hard link between files);

6/24

Unix Filesystem

/ usr etc lib libc.so libc.so.6 lib ⊲ Basically a tree with labelled nodes and edges; ⊲ There can be sharing at the leafs (hard link between files); ⊲ There can be pointers to other parts of the tree (symbolic links)

6/24

Unix Filesystem

/ usr etc lib libc.so libc.so.6 lib root ⊲ Basically a tree with labelled nodes and edges; ⊲ There can be sharing at the leafs (hard link between files); ⊲ There can be pointers to other parts of the tree (symbolic links)

which may form cycles.

7/24

Here Come the Feature Trees

r v w x u∅ usr etc lib skel

• caml

7/24

Here Come the Feature Trees

r v w x u∅ usr etc lib skel

• caml

c(r) =

7/24

Here Come the Feature Trees

r v w x u[∅] usr etc lib skel

• caml

c(r) = ∃u, v, x, w ·

7/24

Here Come the Feature Trees

r v w x u[∅] usr etc lib skel

• caml

c(r) = ∃u, v, x, w · r[usr]v ∧ v[lib]x ∧ r[etc]w ∧ w[skel]u

7/24

Here Come the Feature Trees

r v w x u[∅] usr etc lib skel

• caml

c(r) = ∃u, v, x, w · r[usr]v ∧ v[lib]x ∧ x[ocaml] ↑ ∧ r[etc]w ∧ w[skel]u

7/24

Here Come the Feature Trees

r v w x u[∅] usr etc lib skel

• caml

c(r) = ∃u, v, x, w · r[usr]v ∧ v[lib]x ∧ x[ocaml] ↑ ∧ r[etc]w ∧ w[skel]u ∧ u[∅]

8/24

...and Here Come the Update

r v w x usr etc lib

• caml

8/24

...and Here Come the Update

r v w x usr etc lib

• caml

mkdir /usr/lib/ocaml

8/24

...and Here Come the Update

r v w x usr etc lib

• caml

mkdir /usr/lib/ocaml

r′ v′ w′ x′ y′∅ usr etc lib

• caml

8/24

...and Here Come the Update

r v w x usr etc lib

• caml

mkdir /usr/lib/ocaml

r′ v′ w′ x′ y′∅ usr etc lib

• caml

c′(r, r′) =

8/24

...and Here Come the Update

r v w x usr etc lib

• caml

mkdir /usr/lib/ocaml

r′ v′ w′ x′ y′[∅] usr etc lib

• caml

c′(r, r′) = ∃v, v′, x, x′, y′ ·       

8/24

...and Here Come the Update

r v w x usr etc lib

• caml

mkdir /usr/lib/ocaml

r′ v′ w′ x′ y′[∅] usr etc lib

• caml

c′(r, r′) = ∃v, v′, x, x′, y′ ·        r′ is r with usr → v′ ∧ v′ is v with lib → x′ ∧ x′ is x with ocaml → y′ ∧ y′[∅]

9/24

Er.. Is That Really What We Want?

⊲ Asymmetric: y is x with f → v

9/24

Er.. Is That Really What We Want?

⊲ Asymmetric: y is x with f → v ⊲ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

9/24

Er.. Is That Really What We Want?

⊲ Asymmetric: y is x with f → v ⊲ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

• ⊲ Contains in fact two pieces of information:

9/24

Er.. Is That Really What We Want?

⊲ Asymmetric: y is x with f → v ⊲ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

• ⊲ Contains in fact two pieces of information:

⊲ “y and x may be different in f but are identical everywhere else”

9/24

Er.. Is That Really What We Want?

⊲ Asymmetric: y is x with f → v ⊲ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

• ⊲ Contains in fact two pieces of information:

⊲ “y and x may be different in f but are identical everywhere else” ⊲ “y points to v through f”

9/24

Er.. Is That Really What We Want?

⊲ Asymmetric: y is x with f → v ⊲ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

• ⊲ Contains in fact two pieces of information:

⊲ “y and x may be different in f but are identical everywhere else” ⊲ “y points to v through f”: y[f]v

9/24

Er.. Is That Really What We Want?

⊲ Asymmetric: y is x with f → v ⊲ Makes it hard to eliminate variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

• ⊲ Contains in fact two pieces of information:

⊲ “y and x may be different in f but are identical everywhere else”: y ∼f x ⊲ “y points to v through f”: y[f]v

10/24

• Nah. This Tildy-Thingy Looks Much Better

⊲ Allows to express the update: “y is x with f → v” := y ∼f x ∧ y[f]v

10/24

• Nah. This Tildy-Thingy Looks Much Better

⊲ Allows to express the update: “y is x with f → v” := y ∼f x ∧ y[f]v ⊲ Equivalence relation: y ∼f x ⇐ ⇒ x ∼f y y ∼f x ∧ x ∼f z = ⇒ y ∼f z

10/24

• Nah. This Tildy-Thingy Looks Much Better

⊲ Allows to express the update: “y is x with f → v” := y ∼f x ∧ y[f]v ⊲ Equivalence relation: y ∼f x ⇐ ⇒ x ∼f y y ∼f x ∧ x ∼f z = ⇒ y ∼f z ⊲ Other properties: y ∼f x ∧ x ∼g z = ⇒ y ∼{f,g} z y ∼f x ∧ y ∼g x ⇐ ⇒ y ∼∅ x

10/24

• Nah. This Tildy-Thingy Looks Much Better

⊲ Allows to express the update: “y is x with f → v” := y ∼f x ∧ y[f]v ⊲ Equivalence relation: y ∼f x ⇐ ⇒ x ∼f y y ∼f x ∧ x ∼f z = ⇒ y ∼f z ⊲ Other properties: y ∼f x ∧ x ∼g z = ⇒ y ∼{f,g} z y ∼f x ∧ y ∼g x ⇐ ⇒ y ∼∅ x ⊲ Allows to remove variables: ∃x ·

• y is x with f → v

∧ z is x with g → w

10/24

• Nah. This Tildy-Thingy Looks Much Better

⊲ Allows to express the update: “y is x with f → v” := y ∼f x ∧ y[f]v ⊲ Equivalence relation: y ∼f x ⇐ ⇒ x ∼f y y ∼f x ∧ x ∼f z = ⇒ y ∼f z ⊲ Other properties: y ∼f x ∧ x ∼g z = ⇒ y ∼{f,g} z y ∼f x ∧ y ∼g x ⇐ ⇒ y ∼∅ x ⊲ Allows to remove variables: ∃x ·

• y ∼f x ∧ y[f]v

∧ z ∼g x ∧ z[g]w

10/24

• Nah. This Tildy-Thingy Looks Much Better

⊲ Allows to express the update: “y is x with f → v” := y ∼f x ∧ y[f]v ⊲ Equivalence relation: y ∼f x ⇐ ⇒ x ∼f y y ∼f x ∧ x ∼f z = ⇒ y ∼f z ⊲ Other properties: y ∼f x ∧ x ∼g z = ⇒ y ∼{f,g} z y ∼f x ∧ y ∼g x ⇐ ⇒ y ∼∅ x ⊲ Allows to remove variables: ∃x ·

• y ∼f x ∧ y[f]v

∧ z ∼g x ∧ z[g]w

• ↔ y[f]v ∧ z[g]w

10/24

• Nah. This Tildy-Thingy Looks Much Better

⊲ Allows to express the update: “y is x with f → v” := y ∼f x ∧ y[f]v ⊲ Equivalence relation: y ∼f x ⇐ ⇒ x ∼f y y ∼f x ∧ x ∼f z = ⇒ y ∼f z ⊲ Other properties: y ∼f x ∧ x ∼g z = ⇒ y ∼{f,g} z y ∼f x ∧ y ∼g x ⇐ ⇒ y ∼∅ x ⊲ Allows to remove variables: ∃x ·

• y ∼f x ∧ y[f]v

∧ z ∼g x ∧ z[g]w

• ↔ y[f]v ∧ z[g]w ∧ y ∼{f,g} z

11/24

Model and Examples

FT = F FT ⊲ F infinite set of features (names for the edges); ⊲ F FT : partial function with finite domain;

11/24

Model and Examples

FT = F FT ⊲ F infinite set of features (names for the edges); ⊲ F FT : partial function with finite domain; t1 f g h t2 i h g f t3 f g h f g h

12/24

Constraints and their Interpretation

Equality

x . = y

Feature

x[f]y

Absence

x[f] ↑

Fence

x[F]

Similarity

x ∼F y ⊲ x, y variables. ⊲ f ∈ F, F ⊂ F finite.

12/24

Constraints and their Interpretation

Equality

FT , ρ | = x . = y

iff Feature

FT , ρ | = x[f]y

iff Absence

FT , ρ | = x[f] ↑

iff Fence

FT , ρ | = x[F]

iff Similarity

FT , ρ | = x ∼F y

iff

⊲ x, y variables. ⊲ f ∈ F, F ⊂ F finite. ⊲ ρ a valuation from variables to FT .

12/24

Constraints and their Interpretation

Equality

FT , ρ | = x . = y

iff

ρ(x) = ρ(y)

Feature

FT , ρ | = x[f]y

iff Absence

FT , ρ | = x[f] ↑

iff Fence

FT , ρ | = x[F]

iff Similarity

FT , ρ | = x ∼F y

iff

⊲ x, y variables. ⊲ f ∈ F, F ⊂ F finite. ⊲ ρ a valuation from variables to FT .

12/24

Constraints and their Interpretation

Equality

FT , ρ | = x . = y

iff

ρ(x) = ρ(y)

Feature

FT , ρ | = x[f]y

iff

ρ(x)(f) = ρ(y)

Absence

FT , ρ | = x[f] ↑

iff Fence

FT , ρ | = x[F]

iff Similarity

FT , ρ | = x ∼F y

iff

⊲ x, y variables. ⊲ f ∈ F, F ⊂ F finite. ⊲ ρ a valuation from variables to FT .

12/24

Constraints and their Interpretation

Equality

FT , ρ | = x . = y

iff

ρ(x) = ρ(y)

Feature

FT , ρ | = x[f]y

iff

ρ(x)(f) = ρ(y)

Absence

FT , ρ | = x[f] ↑

iff

f / ∈ dom(ρ(x))

Fence

FT , ρ | = x[F]

iff Similarity

FT , ρ | = x ∼F y

iff

⊲ x, y variables. ⊲ f ∈ F, F ⊂ F finite. ⊲ ρ a valuation from variables to FT .

12/24

Constraints and their Interpretation

Equality

FT , ρ | = x . = y

iff

ρ(x) = ρ(y)

Feature

FT , ρ | = x[f]y

iff

ρ(x)(f) = ρ(y)

Absence

FT , ρ | = x[f] ↑

iff

f / ∈ dom(ρ(x))

Fence

FT , ρ | = x[F]

iff

dom(ρ(x)) ⊆ F

Similarity

FT , ρ | = x ∼F y

iff

⊲ x, y variables. ⊲ f ∈ F, F ⊂ F finite. ⊲ ρ a valuation from variables to FT .

12/24

Constraints and their Interpretation

Equality

FT , ρ | = x . = y

iff

ρ(x) = ρ(y)

Feature

FT , ρ | = x[f]y

iff

ρ(x)(f) = ρ(y)

Absence

FT , ρ | = x[f] ↑

iff

f / ∈ dom(ρ(x))

Fence

FT , ρ | = x[F]

iff

dom(ρ(x)) ⊆ F

Similarity

FT , ρ | = x ∼F y

iff

ρ(x) ↾ F = ρ(y) ↾ F ⊲ x, y variables. ⊲ f ∈ F, F ⊂ F finite. ⊲ ρ a valuation from variables to FT .

13/24

Examples (Again)

t1 f g h t2 i h g f t3 f g h f g h

The following constraints are satisfied in FT , [x → t1, y → t2, z → t3]:

z[f]x, x[i] ↑, x[{f, g, h, i}], x ∼{i} y, x ∼{h,i} y

14/24

Existential Fragment

15/24

Existential Fragment

⊲ Constraint system for symbolic execution.

15/24

Existential Fragment

⊲ Constraint system for symbolic execution. ⊲ Existential quantification on the outside.

15/24

Existential Fragment

⊲ Constraint system for symbolic execution. ⊲ Existential quantification on the outside. ⊲ “Saturation” system:

15/24

Existential Fragment

⊲ Constraint system for symbolic execution. ⊲ Existential quantification on the outside. ⊲ “Saturation” system:

⊲ that terminates,

15/24

Existential Fragment

⊲ Constraint system for symbolic execution. ⊲ Existential quantification on the outside. ⊲ “Saturation” system:

⊲ that terminates, ⊲ that keeps equivalences,

15/24

Existential Fragment

⊲ Constraint system for symbolic execution. ⊲ Existential quantification on the outside. ⊲ “Saturation” system:

⊲ that terminates, ⊲ that keeps equivalences, ⊲ with nice properties on the normal form.

15/24

Existential Fragment

⊲ Constraint system for symbolic execution. ⊲ Existential quantification on the outside. ⊲ “Saturation” system:

⊲ that terminates, ⊲ that keeps equivalences, ⊲ with nice properties on the normal form.

⊲ Normal form: incremental.

15/24

Existential Fragment

⊲ Constraint system for symbolic execution. ⊲ Existential quantification on the outside. ⊲ “Saturation” system:

⊲ that terminates, ⊲ that keeps equivalences, ⊲ with nice properties on the normal form.

⊲ Normal form: incremental. ⊲ The rules come from properties of the constructions.

16/24

Rules with the Feature Constraint

Clash Rules

C-FEAT-ABS

x[f]y ∧ x[f] ↑

C-FEAT-FEN

x[f]y ∧ x[F] (f / ∈ F)

16/24

Rules with the Feature Constraint

Clash Rules

C-FEAT-ABS

x[f]y ∧ x[f] ↑

C-FEAT-FEN

x[f]y ∧ x[F] (f / ∈ F)

Simplification Rules

S-FEATS

∃X, z · (x[f]y ∧ x[f]z ∧ c) ⇒ ∃X · (x[f]y ∧ c{z → y})

17/24

Rules with the Similarity Constraint

Propagation Rules

P-FEAT

x ∼F y ∧ x[f]z ∧ c ⇒ x ∼F y ∧ x[f]z ∧ y[f]z ∧ c (f / ∈ F)

17/24

Rules with the Similarity Constraint

Propagation Rules

P-FEAT

x ∼F y ∧ x[f]z ∧ c ⇒ x ∼F y ∧ x[f]z ∧ y[f]z ∧ c (f / ∈ F)

P-FEN

x ∼F y ∧ x[G] ∧ c ⇒ x ∼F y ∧ x[G] ∧ y[F ∪ G] ∧ c

17/24

Rules with the Similarity Constraint

Propagation Rules

P-FEAT

x ∼F y ∧ x[f]z ∧ c ⇒ x ∼F y ∧ x[f]z ∧ y[f]z ∧ c (f / ∈ F)

P-FEN

x ∼F y ∧ x[G] ∧ c ⇒ x ∼F y ∧ x[G] ∧ y[F ∪ G] ∧ c

P-SIM

x ∼F y ∧ x ∼G z ∧ c ⇒ x ∼F y ∧ x ∼G z ∧ y ∼F∪G z ∧ c

18/24

Properties of the Normal Forms

Lemma

Take a clause c (= ⊥) [...]

c = g ∧ ∃X · l ⊲ in normal form;

18/24

Properties of the Normal Forms

Lemma

Take a clause c (= ⊥) [...]

c = g ∧ ∃X · l ⊲ in normal form; ⊲ such that there is no y[f]x with x ∈ X and y / ∈ X.

18/24

Properties of the Normal Forms

Lemma

Take a clause c (= ⊥) [...]

c = g ∧ ∃X · l ⊲ in normal form; ⊲ such that there is no y[f]x with x ∈ X and y / ∈ X.

Then

FT | = ˜ ∀ · c ↔ g

18/24

Properties of the Normal Forms

Lemma

Take a clause c (= ⊥) [...]

c = g ∧ ∃X · l ⊲ in normal form; ⊲ such that there is no y[f]x with x ∈ X and y / ∈ X.

Then

FT | = ˜ ∀ · c ↔ g ⊲ Corollary: all normal forms (= ⊥) are satisfiable:

⊲ If c is a clause in normal form: FT | = ˜ ∃ · c

18/24

Properties of the Normal Forms

Lemma

Take a clause c (= ⊥) [...]

c = g ∧ ∃X · l ⊲ in normal form; ⊲ such that there is no y[f]x with x ∈ X and y / ∈ X.

Then

FT | = ˜ ∀ · c ↔ g ⊲ Corollary: all normal forms (= ⊥) are satisfiable:

⊲ If c is a clause in normal form: FT | = ˜ ∃ · c

⊲ We can “garbage collect” the normal forms to make them smaller.

19/24

Garbage Collection

r0 x0 y0 usr lib

19/24

Garbage Collection

r0 x0 y0 usr lib ⊲ mkdir /usr/lib/ocaml;

19/24

Garbage Collection

r0 x0 y0 usr lib

• caml

r1 x1 y1 usr lib z1[∅]

• caml

∼{usr} ∼{lib} ∼{ocaml} ⊲ mkdir /usr/lib/ocaml; ⊲ Normal form: satisfiable

19/24

Garbage Collection

r0 x0 y0 usr lib

• caml

r1 x1 y1 usr lib z1[∅]

• caml

∼{usr} ∼{lib} ∼{ocaml} ⊲ mkdir /usr/lib/ocaml; ⊲ mkdir /usr/lib/haskell; ⊲ Normal form: satisfiable

19/24

Garbage Collection

r0 x0 y0 usr lib

• caml

r1 x1 y1 usr lib z1[∅]

• caml

∼{usr} ∼{lib} ∼{ocaml} r2 x2 y2 usr lib w2[∅] haskell haskell ∼{usr} ∼{lib} ∼{haskell} ⊲ mkdir /usr/lib/ocaml; ⊲ mkdir /usr/lib/haskell;

19/24

Garbage Collection

r0 x0 y0 usr lib

• caml

r1 x1 y1 usr lib z1[∅]

• caml

∼{usr} ∼{lib} ∼{ocaml} r2 x2 y2 usr lib w2[∅] haskell haskell ∼{usr} ∼{lib} ∼{haskell} z1

• caml

haskell ⊲ mkdir /usr/lib/ocaml; ⊲ mkdir /usr/lib/haskell;

19/24

Garbage Collection

r0 x0 y0 usr lib

• caml

r1 x1 y1 usr lib z1[∅]

• caml

∼{usr} ∼{lib} ∼{ocaml} r2 x2 y2 usr lib w2[∅] haskell haskell ∼{usr} ∼{lib} ∼{haskell} z1

• caml

haskell ⊲ mkdir /usr/lib/ocaml; ⊲ mkdir /usr/lib/haskell; ⊲ Normal form: satisfiable

19/24

Garbage Collection

r0 x0 y0 usr lib

• caml

r1 x1 y1 usr lib z1[∅]

• caml

∼{usr} ∼{lib} ∼{ocaml} r2 x2 y2 usr lib w2[∅] haskell haskell ∼{usr} ∼{lib} ∼{haskell} z1

• caml

haskell ⊲ mkdir /usr/lib/ocaml; ⊲ mkdir /usr/lib/haskell; ⊲ Normal form: satisfiable

19/24

Garbage Collection

r0 x0 y0 usr lib

• caml

r2 x2 y2 usr lib w2[∅] haskell z1[∅]

• caml

haskell ∼{usr} ∼{lib} ∼{ocaml,haskell} ⊲ mkdir /usr/lib/ocaml; ⊲ mkdir /usr/lib/haskell; ⊲ Normal form: satisfiable

20/24

First Order

21/24

Quantifier Switching

⊲ What can we express with local variables? ∃x · (y[f]x ∧ x[g] ↑)

21/24

Quantifier Switching

⊲ What can we express with local variables? ∃x · (y[f]x ∧ x[g] ↑) ⊲ Usually: add predicates to the language that cover these cases

⊲ Here: predicates about paths (hard to work with).

21/24

Quantifier Switching

⊲ What can we express with local variables? ∃x · (y[f]x ∧ x[g] ↑) ⊲ Usually: add predicates to the language that cover these cases

⊲ Here: predicates about paths (hard to work with).

⊲ The feature constraint is a function:

FEAT-FUN

∃X, x · (y[f]x ∧ c) ⇒ ¬y[f] ↑ ∧∀x · (y[f]x → ∃X · (y[f]x ∧ c)) y / ∈ X y = x

21/24

Quantifier Switching

⊲ What can we express with local variables? ∃x · (y[f]x ∧ x[g] ↑) ⊲ Usually: add predicates to the language that cover these cases

⊲ Here: predicates about paths (hard to work with).

⊲ The feature constraint is a function:

FEAT-FUN

∃X, x · (y[f]x ∧ c) ⇒ ¬y[f] ↑ ∧∀x · (y[f]x → ∃X · (y[f]x ∧ c)) y / ∈ X y = x ⊲ In the example: ¬y[f] ↑ ∧∀x · (y[f]x → x[g] ↑)

22/24

How Does That Help?

FEAT-FUN

∃X, x · (y[f]x ∧ c) ⇒ ¬y[f] ↑ ∧∀x · (y[f]x → ∃X · (y[f]x ∧ c)) y / ∈ X y = x

22/24

How Does That Help?

FEAT-FUN

∃X, x · (y[f]x ∧ c) ⇒ ¬y[f] ↑ ∧∀x · (y[f]x → ∃X · (y[f]x ∧ c)) y / ∈ X y = x Lemma (reminder)

Take a clause c (= ⊥) [...]

c = g ∧ ∃X · l ⊲ in normal form; ⊲ such that there is no y[f]x with x ∈ X and y / ∈ X.

Then

FT | = ˜ ∀ · c ↔ g

22/24

How Does That Help?

FEAT-FUN

∃X, x · (y[f]x ∧ c) ⇒ ¬y[f] ↑ ∧∀x · (y[f]x → ∃X · (y[f]x ∧ c)) y / ∈ X y = x Lemma (reminder)

Take a clause c (= ⊥) [...]

c = g ∧ ∃X · l ⊲ in normal form; ⊲ such that there is no y[f]x with x ∈ X and y / ∈ X.

Then

FT | = ˜ ∀ · c ↔ g ⊲ FEAT-FUN puts us in the hypothesis of the lemma.

22/24

How Does That Help?

FEAT-FUN

∃X, x · (y[f]x ∧ c) ⇒ ¬y[f] ↑ ∧∀x · (y[f]x → ∃X · (y[f]x ∧ c)) y / ∈ X y = x Lemma (reminder)

Take a clause c (= ⊥) [...]

c = g ∧ ∃X · l ⊲ in normal form; ⊲ such that there is no y[f]x with x ∈ X and y / ∈ X.

Then

FT | = ˜ ∀ · c ↔ g ⊲ FEAT-FUN puts us in the hypothesis of the lemma. ⊲ Switch an existential quantification into an universal one.

22/24

How Does That Help?

FEAT-FUN

∃X, x · (y[f]x ∧ c) ⇒ ¬y[f] ↑ ∧∀x · (y[f]x → ∃X · (y[f]x ∧ c)) y / ∈ X y = x Lemma (reminder)

Take a clause c (= ⊥) [...]

c = g ∧ ∃X · l ⊲ in normal form; ⊲ such that there is no y[f]x with x ∈ X and y / ∈ X.

Then

FT | = ˜ ∀ · c ↔ g ⊲ FEAT-FUN puts us in the hypothesis of the lemma. ⊲ Switch an existential quantification into an universal one. ⊲ We can go for a weak quantifier elimination.

23/24

Weak Quantifier Elimination

⊲ If we have a procedure: ∃X · c ⇒ ∀Y · c′

23/24

Weak Quantifier Elimination

⊲ If we have a procedure: ∃X · c ⇒ ∀Y · c′ ⊲ Then: ∀X1 · ∃X2 · · · ∀Xn−1 · ∃Xn · c

23/24

Weak Quantifier Elimination

⊲ If we have a procedure: ∃X · c ⇒ ∀Y · c′ ⊲ Then: ∀X1 · ∃X2 · · · ∀Xn−1 · ∃Xn · c ⇒ ∀X1 · ∃X2 · · · ∀Xn−1 · ∀Yn · c′

23/24

Weak Quantifier Elimination

⊲ If we have a procedure: ∃X · c ⇒ ∀Y · c′ ⊲ Then: ∀X1 · ∃X2 · · · ∀Xn−1 · ∃Xn · c ⇒ ∀X1 · ∃X2 · · · ∀Xn−1 · ∀Yn · c′ = ∀X1 · ∃X2 · · · ∀Xn−1Yn · c′

23/24

Weak Quantifier Elimination

⊲ If we have a procedure: ∃X · c ⇒ ∀Y · c′ ⊲ Then: ∀X1 · ∃X2 · · · ∀Xn−1 · ∃Xn · c ⇒ ∀X1 · ∃X2 · · · ∀Xn−1 · ∀Yn · c′ = ∀X1 · ∃X2 · · · ∀Xn−1Yn · c′ ⇒ ¬ ∃X1 · ∀X2 · · · ∃Xn−1Yn · ¬c′

23/24

Weak Quantifier Elimination

⊲ If we have a procedure: ∃X · c ⇒ ∀Y · c′ ⊲ Then: ∀X1 · ∃X2 · · · ∀Xn−1 · ∃Xn · c ⇒ ∀X1 · ∃X2 · · · ∀Xn−1 · ∀Yn · c′ = ∀X1 · ∃X2 · · · ∀Xn−1Yn · c′ ⇒ ¬ ∃X1 · ∀X2 · · · ∃Xn−1Yn · ¬c′

. . .

⇒ ? ∃Y1 · c′′

23/24

Weak Quantifier Elimination

⊲ If we have a procedure: ∃X · c ⇒ ∀Y · c′ ⊲ Then: ∀X1 · ∃X2 · · · ∀Xn−1 · ∃Xn · c ⇒ ∀X1 · ∃X2 · · · ∀Xn−1 · ∀Yn · c′ = ∀X1 · ∃X2 · · · ∀Xn−1Yn · c′ ⇒ ¬ ∃X1 · ∀X2 · · · ∃Xn−1Yn · ¬c′

. . .

⇒ ? ∃Y1 · c′′ ⊲ We can remove all quantifier blocks but one. ⊲ If we know how to handle the last block, it’s won.

⊲ in our case, we do for closed formula.

24/24

Conclusion

⊲ CoLiS project: verifying Debian packages and their shell scripts. ⊲ Feature trees with update to model modifications of filesystems. ⊲ Incremental procedure to decide satisfiability of an existential fragment. ⊲ Extends to first order via weak quantifier elimination. ⊲ Article:

Nicolas Jeannerod, Ralf Treinen. Deciding the First-Order Theory of an Algebra of Feature Trees with Updates. IJCAR 2018

⊲ Thank you for your attention! Any questions?