Decision Procedures and Verifjcation NAIL094 Petr Kuera Charles - PowerPoint PPT Presentation

Eliminating the Array Terms Goal Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions Functional consistency captures the array consistency Add constraints for the write operation Write rule Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39 Replace a { i ← e } with a new array variable a ′ and add constraints 1 a ′ [ i ] = e for the written value 2 ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] for the unchanged values

Eliminating the Array Terms Goal Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions Functional consistency captures the array consistency Add constraints for the write operation Write rule Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39 Replace a { i ← e } with a new array variable a ′ and add constraints 1 a ′ [ i ] = e for the written value 2 ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] for the unchanged values

Eliminating the Array Terms Goal Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions Functional consistency captures the array consistency Add constraints for the write operation Write rule Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39 Replace a { i ← e } with a new array variable a ′ and add constraints 1 a ′ [ i ] = e for the written value 2 ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] for the unchanged values

Eliminating the Array Terms Goal Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions Functional consistency captures the array consistency Add constraints for the write operation Write rule Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39 Replace a { i ← e } with a new array variable a ′ and add constraints 1 a ′ [ i ] = e for the written value 2 ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] for the unchanged values

Eliminating the Array Terms Goal Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions Functional consistency captures the array consistency Add constraints for the write operation Write rule Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39 Replace a { i ← e } with a new array variable a ′ and add constraints 1 a ′ [ i ] = e for the written value 2 ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] for the unchanged values

Eliminating the Array Terms Goal Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions Functional consistency captures the array consistency Add constraints for the write operation Write rule Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39 Replace a { i ← e } with a new array variable a ′ and add constraints 1 a ′ [ i ] = e for the written value 2 ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] for the unchanged values

Elimination the Array Terms — Example 1 Consider formula After replacing with an uninterpreted function we get Which is a valid formula (in the theory of equality with uninterpreted functions) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 9 / 39 ( i = j ∧ a [ j ] = 5 ) � ⇒ a [ i ] = 5

Elimination the Array Terms — Example 1 Consider formula Which is a valid formula (in the theory of equality with uninterpreted functions) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 9 / 39 ( i = j ∧ a [ j ] = 5 ) � ⇒ a [ i ] = 5 After replacing a with an uninterpreted function F a we get ( i = j ∧ F a ( j ) = 5 ) � ⇒ F a ( i ) = 5

Elimination the Array Terms — Example 1 Consider formula Which is a valid formula (in the theory of equality with uninterpreted functions) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 9 / 39 ( i = j ∧ a [ j ] = 5 ) � ⇒ a [ i ] = 5 After replacing a with an uninterpreted function F a we get ( i = j ∧ F a ( j ) = 5 ) � ⇒ F a ( i ) = 5

Elimination the Array Terms — Example 2 Consider formula Introduce a new array and apply the write rule After replacing with an uninterpreted function Which is a valid formula (in LIA with UF) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 10 / 39 a { i ← e }[ i ] ≥ e

Elimination the Array Terms — Example 2 Consider formula After replacing with an uninterpreted function Which is a valid formula (in LIA with UF) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 10 / 39 a { i ← e }[ i ] ≥ e Introduce a new array a ′ = a { i ← e } and apply the write rule a ′ [ i ] = e � ⇒ a ′ [ i ] ≥ e

Elimination the Array Terms — Example 2 Consider formula Which is a valid formula (in LIA with UF) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 10 / 39 a { i ← e }[ i ] ≥ e Introduce a new array a ′ = a { i ← e } and apply the write rule a ′ [ i ] = e � ⇒ a ′ [ i ] ≥ e After replacing a ′ with an uninterpreted function F a ′ F a ′ ( i ) = e � ⇒ F a ′ ( i ) ≥ e

Elimination the Array Terms — Example 2 Consider formula Which is a valid formula (in LIA with UF) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 10 / 39 a { i ← e }[ i ] ≥ e Introduce a new array a ′ = a { i ← e } and apply the write rule a ′ [ i ] = e � ⇒ a ′ [ i ] ≥ e After replacing a ′ with an uninterpreted function F a ′ F a ′ ( i ) = e � ⇒ F a ′ ( i ) ≥ e

Elimination the Array Terms — Example 3 Consider formula Introduce a new array and apply write rule After replacing and with uninterpreted functions and Which is a valid formula (in LIA with UF) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 11 / 39 a [ 0 ] = 10 � ⇒ a { 1 ← 20 }[ 0 ] = 10

Elimination the Array Terms — Example 3 Consider formula After replacing and with uninterpreted functions and Which is a valid formula (in LIA with UF) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 11 / 39 a [ 0 ] = 10 � ⇒ a { 1 ← 20 }[ 0 ] = 10 Introduce a new array a ′ = a { i ← e } and apply write rule ( a [ 0 ] = 10 ∧ a ′ [ 1 ] = 20 ∧ ( ∀ j ≠ 1 )[ a ′ [ j ] = a [ j ]]) � ⇒ a ′ [ 0 ] = 10

Elimination the Array Terms — Example 3 Consider formula Which is a valid formula (in LIA with UF) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 11 / 39 a [ 0 ] = 10 � ⇒ a { 1 ← 20 }[ 0 ] = 10 Introduce a new array a ′ = a { i ← e } and apply write rule ( a [ 0 ] = 10 ∧ a ′ [ 1 ] = 20 ∧ ( ∀ j ≠ 1 )[ a ′ [ j ] = a [ j ]]) � ⇒ a ′ [ 0 ] = 10 After replacing a and a ′ with uninterpreted functions F a and F a ′ ( F a ( 0 ) = 10 ∧ F a ′ ( 1 ) = 20 ∧ ( ∀ j ≠ 1 )[ F a ′ ( j ) = F a ( j )]) � ⇒ F a ′ ( 0 ) = 10

Elimination the Array Terms — Example 3 Consider formula Which is a valid formula (in LIA with UF) Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 11 / 39 a [ 0 ] = 10 � ⇒ a { 1 ← 20 }[ 0 ] = 10 Introduce a new array a ′ = a { i ← e } and apply write rule ( a [ 0 ] = 10 ∧ a ′ [ 1 ] = 20 ∧ ( ∀ j ≠ 1 )[ a ′ [ j ] = a [ j ]]) � ⇒ a ′ [ 0 ] = 10 After replacing a and a ′ with uninterpreted functions F a and F a ′ ( F a ( 0 ) = 10 ∧ F a ′ ( 1 ) = 20 ∧ ( ∀ j ≠ 1 )[ F a ′ ( j ) = F a ( j )]) � ⇒ F a ′ ( 0 ) = 10

Decidability of Array Theory Bad news array theory is undecidable Even if the combination of the index theory and the element theory is decidable Good news there are large fragments of array theory which are decidable Quantifjer-free fragment Array properties Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 12 / 39

Decidability of Array Theory Bad news array theory is undecidable Even if the combination of the index theory and the element theory is decidable Good news there are large fragments of array theory which are decidable Quantifjer-free fragment Array properties Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 12 / 39

Decidability of Array Theory Bad news array theory is undecidable Even if the combination of the index theory and the element theory is decidable Good news there are large fragments of array theory which are decidable Quantifjer-free fragment Array properties Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 12 / 39

Decidability of Array Theory Bad news array theory is undecidable Even if the combination of the index theory and the element theory is decidable Good news there are large fragments of array theory which are decidable Quantifjer-free fragment Array properties Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 12 / 39

Decidability of Array Theory Bad news array theory is undecidable Even if the combination of the index theory and the element theory is decidable Good news there are large fragments of array theory which are decidable Quantifjer-free fragment Array properties Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 12 / 39

Array Property Restricts universal quantifjcation over array indices Defjnition (Array property) Array property is a formula of the form Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 13 / 39 ( ∀ i 1 , . . . , i k )[ ϕ ( i 1 , . . . , i k ) � ⇒ ψ ( i 1 , . . . , i k )] i 1 , . . . , i k is a list of index variables that can be used only in array read expressions of the form a [ i j ] ϕ is the index guard with a specifjc structure ψ is the value constraint

Index Guard We assume linear arithmetic over integer as the index theory Defjnition (Index Guard) Structure of an index guard is described by the following grammar No negation in the index guard Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 14 / 39 iguard ∶ iguard ∧ iguard ∣ iguard ∨ iguard ∣ iterm ≤ iterm ∣ iterm = iterm iterm ∶ i 1 ∣ . . . ∣ i k ∣ term term ∶ integer - constant ∣ integer - constant ⋅ index - identifier ∣ term + term where index-identifjer used in term cannot be one of i 1 , . . . , i k .

Array Properties Sorted array array is sorted ifg Bounded array is sorted ifg Partitioned array values in part are not bigger than values in part Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 15 / 39 Extensionality arrays a and b are equal if all their elements are equal ( ∀ i )[ a [ i ] = b [ i ]]

Array Properties Partitioned array values in part are not bigger than values in part Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 15 / 39 Extensionality arrays a and b are equal if all their elements are equal ( ∀ i )[ a [ i ] = b [ i ]] Sorted array array a is sorted ifg ( ∀ i , j )[ i ≤ j � ⇒ a [ i ] ≤ a [ j ]] Bounded array a [ l ∶ u ] is sorted ifg ( ∀ i , j )[ l ≤ i ≤ j ≤ u � ⇒ a [ i ] ≤ a [ j ]]

Array Properties Petr Kučera (Charles University) 2019/20 (11th lecture) Decision Procedures and Verifjcation 15 / 39 Extensionality arrays a and b are equal if all their elements are equal ( ∀ i )[ a [ i ] = b [ i ]] Sorted array array a is sorted ifg ( ∀ i , j )[ i ≤ j � ⇒ a [ i ] ≤ a [ j ]] Bounded array a [ l ∶ u ] is sorted ifg ( ∀ i , j )[ l ≤ i ≤ j ≤ u � ⇒ a [ i ] ≤ a [ j ]] Partitioned array values in part a [ l 1 ∶ u 1 ] are not bigger than values in part a [ l 2 ∶ u 2 ] ( ∀ i , j )[ l 1 ≤ i ≤ u 1 < l 2 ≤ j ≤ u 2 � ⇒ a [ i ] ≤ a [ j ]]

Array Property Fragment Defjnition (Array Property Fragment) Array property fragment consists of boolean combinations of quantifjer free array formulas and array properties. Example Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 16 / 39 ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] ∧ a ′ = a { i ← 0 } ⇒ a ′ [ j ] = 0 ] � ⇒ ( ∀ j )[ j ≤ i �

Deciding Array Property Fragment Algorithm 1: APF-DP Step 2 Remove write terms using write rule Step 4 Reduce universal quantifjcation to fjnite conjunction Step 5 Replace array read terms by uninterpreted functions Step 6 Decide the resulting (quantifjer-free) formula in index and element theories with uninterpreted functions Transforming a formula into a NNF can change universal quantifjcation over indices into an existential quantifjcation Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 17 / 39 Step 1 Convert ϕ to NNF Step 3 Replace each existential quantifjer (∃ j )[ ψ ( j )] with ψ ( k ) where k is a fresh variable

Running Example We want to check the validity of 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) Which is the same as checking unsatisfjability of 18 / 39 ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] ∧ a ′ = a { i ← 0 } ⇒ a ′ [ j ] = 0 ] � ⇒ ( ∀ j )[ j ≤ i � ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] ∧ a ′ = a { i ← 0 } ∧ ( ∃ j )[ j ≤ i ∧ a ′ [ j ] ≠ 0 ]

Applying Write Rule Write rule Formula is not written as an array property inequality is not allowed in the index guard Can be rewritten in form of an array property as Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 19 / 39 Replace a { i ← e } with a new array variable a ′ and add constraints 1 a ′ [ i ] = e for the written value 2 ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] for the unchanged values

Applying Write Rule Write rule inequality is not allowed in the index guard Can be rewritten in form of an array property as Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 19 / 39 Replace a { i ← e } with a new array variable a ′ and add constraints 1 a ′ [ i ] = e for the written value 2 ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] for the unchanged values Formula ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] is not written as an array property

Applying Write Rule Write rule inequality is not allowed in the index guard Can be rewritten in form of an array property as Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 19 / 39 Replace a { i ← e } with a new array variable a ′ and add constraints 1 a ′ [ i ] = e for the written value 2 ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] for the unchanged values Formula ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] is not written as an array property

Applying Write Rule Write rule inequality is not allowed in the index guard Can be rewritten in form of an array property as Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 19 / 39 Replace a { i ← e } with a new array variable a ′ and add constraints 1 a ′ [ i ] = e for the written value 2 ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] for the unchanged values Formula ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] is not written as an array property ⇒ ( a ′ [ j ] = a [ j ])] ( ∀ j )[( j ≤ i − 1 ∨ i + 1 ≤ j ) �

Applying Write Rule to Example Before the Write Rule After the Write Rule Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 20 / 39 ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] ∧ a ′ = a { i ← 0 } ∧ a ′ [ i ] = 0 ∧ ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] ∧ ( ∃ j )[ j ≤ i ∧ a ′ [ j ] ≠ 0 ] ∧ ( ∃ j )[ j ≤ i ∧ a ′ [ j ] ≠ 0 ]

Eliminating Existential Quantifjcation After elimination 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) 21 / 39 The fresh variable is implicitly existentially quantifjed, because we Before elimination Such elimination is possible because the input formula is in NNF fresh variable Replace each existential quantifjer (∃ j )[ ψ ( j )] with ψ ( k ) where k is a are checking satisfjability ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] ∧ a ′ [ i ] = 0 ∧ a ′ [ i ] = 0 ∧ ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] ∧ ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] ∧ ( ∃ j )[ j ≤ i ∧ a ′ [ j ] ≠ 0 ] ∧ k ≤ i ∧ a ′ [ k ] ≠ 0

Eliminating Universal Quantifjcation 3 If 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) with Replace universal quantifjcation nonempty set of index expressions in order to obtain a is contains none of the above, quantifjed variables that are not 2 Add all expressions used inside index guards in quantifjed variables that are not 1 Add all expressions used as an array index in might be possibly assigned to of index expressions that , determine set Given a formula 22 / 39 Consider a formula ϕ which contains universal quantifjcation ( ∀ i ∈ T I )[ P ( i )]

Eliminating Universal Quantifjcation contains none of the above, 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) with Replace universal quantifjcation nonempty set of index expressions in order to obtain a is 3 If quantifjed variables that are not 2 Add all expressions used inside index guards in quantifjed variables that are not 1 Add all expressions used as an array index in 22 / 39 Consider a formula ϕ which contains universal quantifjcation ( ∀ i ∈ T I )[ P ( i )] Given a formula ϕ , determine set I( ϕ ) of index expressions that might be possibly assigned to i

Eliminating Universal Quantifjcation contains none of the above, 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) with Replace universal quantifjcation nonempty set of index expressions in order to obtain a is 3 If quantifjed variables that are not 2 Add all expressions used inside index guards in quantifjed variables 22 / 39 Consider a formula ϕ which contains universal quantifjcation ( ∀ i ∈ T I )[ P ( i )] Given a formula ϕ , determine set I( ϕ ) of index expressions that might be possibly assigned to i 1 Add all expressions used as an array index in ϕ that are not

Eliminating Universal Quantifjcation is 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) with Replace universal quantifjcation nonempty set of index expressions in order to obtain a contains none of the above, 3 If quantifjed variables quantifjed variables 22 / 39 Consider a formula ϕ which contains universal quantifjcation ( ∀ i ∈ T I )[ P ( i )] Given a formula ϕ , determine set I( ϕ ) of index expressions that might be possibly assigned to i 1 Add all expressions used as an array index in ϕ that are not 2 Add all expressions used inside index guards in ϕ that are not

Eliminating Universal Quantifjcation nonempty set of index expressions 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) with Replace universal quantifjcation quantifjed variables 22 / 39 quantifjed variables Consider a formula ϕ which contains universal quantifjcation ( ∀ i ∈ T I )[ P ( i )] Given a formula ϕ , determine set I( ϕ ) of index expressions that might be possibly assigned to i 1 Add all expressions used as an array index in ϕ that are not 2 Add all expressions used inside index guards in ϕ that are not 3 If ϕ contains none of the above, I is { 0 } in order to obtain a

Eliminating Universal Quantifjcation nonempty set of index expressions 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) with Replace universal quantifjcation quantifjed variables 22 / 39 quantifjed variables Consider a formula ϕ which contains universal quantifjcation ( ∀ i ∈ T I )[ P ( i )] Given a formula ϕ , determine set I( ϕ ) of index expressions that might be possibly assigned to i 1 Add all expressions used as an array index in ϕ that are not 2 Add all expressions used inside index guards in ϕ that are not 3 If ϕ contains none of the above, I is { 0 } in order to obtain a

Eliminating Universal Quantifjcation quantifjed variables 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) nonempty set of index expressions 22 / 39 quantifjed variables Consider a formula ϕ which contains universal quantifjcation ( ∀ i ∈ T I )[ P ( i )] Given a formula ϕ , determine set I( ϕ ) of index expressions that might be possibly assigned to i 1 Add all expressions used as an array index in ϕ that are not 2 Add all expressions used inside index guards in ϕ that are not 3 If ϕ contains none of the above, I is { 0 } in order to obtain a Replace universal quantifjcation ( ∀ i ∈ T I )[ P ( i )] with ⋀ P ( i ) i ∈I( ϕ )

Eliminating Universal Quantifjcation — Example Before elimination Set Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 23 / 39 ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] ∧ a ′ [ i ] = 0 ∧ ( ∀ j ≠ i )[ a ′ [ j ] = a [ j ]] ∧ k ≤ i ∧ a ′ [ k ] ≠ 0

Eliminating Universal Quantifjcation — Example Before elimination Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 23 / 39 ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] ∧ a ′ [ i ] = 0 ⇒ a ′ [ j ] = a [ j ]] ∧ ( ∀ j )[( j ≠ i ) � ∧ k ≤ i ∧ a ′ [ k ] ≠ 0 Set I( ϕ ) = { i , k }

Eliminating Universal Quantifjcation — Example After elimination 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) Before elimination 23 / 39 ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] i < i � ⇒ a [ i ] = 0 ∧ a ′ [ i ] = 0 ∧ k < i � ⇒ a [ k ] = 0 ∧ a ′ [ i ] = 0 ⇒ a ′ [ j ] = a [ j ]] ∧ ( ∀ j )[( j ≠ i ) � ⇒ a ′ [ i ] = a [ i ] ∧ i ≠ i � ∧ k ≤ i ∧ a ′ [ k ] ≠ 0 ⇒ a ′ [ k ] = a [ k ] ∧ k ≠ i � ∧ k ≤ i ∧ a ′ [ k ] ≠ 0 Set I( ϕ ) = { i , k }

Eliminating Universal Quantifjcation — Example Removed trivial implications 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) Before elimination 23 / 39 ( ∀ j )[ j < i � ⇒ a [ j ] = 0 ] k < i � ⇒ a [ k ] = 0 ∧ a ′ [ i ] = 0 ∧ a ′ [ i ] = 0 ⇒ a ′ [ j ] = a [ j ]] ∧ ( ∀ j )[( j ≠ i ) � ⇒ a ′ [ k ] = a [ k ] ∧ k ≠ i � ∧ k ≤ i ∧ a ′ [ k ] ≠ 0 ∧ k ≤ i ∧ a ′ [ k ] ≠ 0 Set I( ϕ ) = { i , k }

Replace Arrays With Uninterpreted Functions After replacement 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) Before replacement 24 / 39 k < i � ⇒ a [ k ] = 0 k < i � ⇒ F a ( k ) = 0 ∧ a ′ [ i ] = 0 ∧ F a ′ ( i ) = 0 ⇒ a ′ [ k ] = a [ k ] ∧ k ≠ i � ∧ k ≠ i � ⇒ F a ′ ( k ) = F a ( k ) ∧ k ≤ i ∧ a ′ [ k ] ≠ 0 ∧ k ≤ i ∧ F a ′ ( k ) ≠ 0

Check Satisfjability If 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) The formula is unsatisfjable (and the original formula is valid) contradiction , and , , then contradiction and , then If We have that 25 / 39 k < i � ⇒ F a ( k ) = 0 ∧ F a ′ ( i ) = 0 ∧ k ≠ i � ⇒ F a ′ ( k ) = F a ( k ) ∧ k ≤ i ∧ F a ′ ( k ) ≠ 0

Check Satisfjability If 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) The formula is unsatisfjable (and the original formula is valid) contradiction , and , , then contradiction and , then If 25 / 39 k < i � ⇒ F a ( k ) = 0 ∧ F a ′ ( i ) = 0 ∧ k ≠ i � ⇒ F a ′ ( k ) = F a ( k ) ∧ k ≤ i ∧ F a ′ ( k ) ≠ 0 We have that k ≤ i

Check Satisfjability If 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) The formula is unsatisfjable (and the original formula is valid) contradiction , and , , then 25 / 39 k < i � ⇒ F a ( k ) = 0 ∧ F a ′ ( i ) = 0 ∧ k ≠ i � ⇒ F a ′ ( k ) = F a ( k ) ∧ k ≤ i ∧ F a ′ ( k ) ≠ 0 We have that k ≤ i If k = i , then F a ′ ( i ) = 0 and F a ′ ( i ) ≠ 0 � ⇒ contradiction

Check Satisfjability The formula is unsatisfjable (and the original formula is valid) 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) 25 / 39 k < i � ⇒ F a ( k ) = 0 ∧ F a ′ ( i ) = 0 ∧ k ≠ i � ⇒ F a ′ ( k ) = F a ( k ) ∧ k ≤ i ∧ F a ′ ( k ) ≠ 0 We have that k ≤ i If k = i , then F a ′ ( i ) = 0 and F a ′ ( i ) ≠ 0 � ⇒ contradiction If k < i , then F a ( k ) = 0 , F a ′ ( k ) = F a ( k ) = 0 , and F a ′ ( k ) ≠ 0 � ⇒ contradiction

Check Satisfjability The formula is unsatisfjable (and the original formula is valid) 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) 25 / 39 k < i � ⇒ F a ( k ) = 0 ∧ F a ′ ( i ) = 0 ∧ k ≠ i � ⇒ F a ′ ( k ) = F a ( k ) ∧ k ≤ i ∧ F a ′ ( k ) ≠ 0 We have that k ≤ i If k = i , then F a ′ ( i ) = 0 and F a ′ ( i ) ≠ 0 � ⇒ contradiction If k < i , then F a ( k ) = 0 , F a ′ ( k ) = F a ( k ) = 0 , and F a ′ ( k ) ≠ 0 � ⇒ contradiction

Closing Remarks Theory of arrays is not needed for bounds checking We need to argue only about indices and the array sizes Reduction can be done lazily Useful for using as part of DPLL(T). Multidimensional-arrays — combination of one-dimensional arrays Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 26 / 39

Pointer logic

Motivation *sum+=a[i]; 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) What if sum=&i (the address of i )? What if sum is NULL (zero address)? Is the code correct and safe? } 9 } 8 7 1 for(i=0; i<10; ++i) { 6 *sum=0; 5 void array_sum(int *sum) { 4 3 int i; 2 int a[10]; 28 / 39

Motivation *sum+=a[i]; 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) What if sum=&i (the address of i )? What if sum is NULL (zero address)? Is the code correct and safe? } 9 } 8 7 1 for(i=0; i<10; ++i) { 6 *sum=0; 5 void array_sum(int *sum) { 4 3 int i; 2 int a[10]; 28 / 39

Motivation *sum+=a[i]; 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) What if sum=&i (the address of i )? What if sum is NULL (zero address)? Is the code correct and safe? } 9 } 8 7 1 for(i=0; i<10; ++i) { 6 *sum=0; 5 void array_sum(int *sum) { 4 3 int i; 2 int a[10]; 28 / 39

Motivation *sum+=a[i]; 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) What if sum=&i (the address of i )? What if sum is NULL (zero address)? Is the code correct and safe? } 9 } 8 7 1 for(i=0; i<10; ++i) { 6 *sum=0; 5 void array_sum(int *sum) { 4 3 int i; 2 int a[10]; 28 / 39

Motivation // array p is released 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) How to detect such bug? The last line accesses array p which was already released! // accessing the 3rd element of array p *q=2; 5 delete[] p; 1 4 // p points to the 3rd element of p q=&p[3]; 3 p=new int[10]; // p points to a newly allocated array 2 // uninitialized pointer variables int *p, *q; 29 / 39

Motivation // array p is released 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) How to detect such bug? The last line accesses array p which was already released! // accessing the 3rd element of array p *q=2; 5 delete[] p; 1 4 // p points to the 3rd element of p q=&p[3]; 3 p=new int[10]; // p points to a newly allocated array 2 // uninitialized pointer variables int *p, *q; 29 / 39

Motivation // array p is released 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) How to detect such bug? The last line accesses array p which was already released! // accessing the 3rd element of array p *q=2; 5 delete[] p; 1 4 // p points to the 3rd element of p q=&p[3]; 3 p=new int[10]; // p points to a newly allocated array 2 // uninitialized pointer variables int *p, *q; 29 / 39

Memory Model and Layout Memory model determines how the memory cells are addressed 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) 30 / 39 Each address identifjes a memory cell that can store We assume an address space A which is a subinterval of { 0 , 1 , . . . , N − 1 } a single data word The set of data words is denoted by D Memory valuation M ∶ A � → D is a mapping from a set of adresses A into domain D of data words → A is a mapping from each variable v ∈ V to Memory layout L ∶ V � an address a ∈ A V denotes the set of variables address of v is also called the memory location of v

Memory Model and Layout Memory model determines how the memory cells are addressed 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) 30 / 39 Each address identifjes a memory cell that can store We assume an address space A which is a subinterval of { 0 , 1 , . . . , N − 1 } a single data word The set of data words is denoted by D Memory valuation M ∶ A � → D is a mapping from a set of adresses A into domain D of data words → A is a mapping from each variable v ∈ V to Memory layout L ∶ V � an address a ∈ A V denotes the set of variables address of v is also called the memory location of v

Memory Model and Layout Memory model determines how the memory cells are addressed 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) 30 / 39 Each address identifjes a memory cell that can store We assume an address space A which is a subinterval of { 0 , 1 , . . . , N − 1 } a single data word The set of data words is denoted by D Memory valuation M ∶ A � → D is a mapping from a set of adresses A into domain D of data words → A is a mapping from each variable v ∈ V to Memory layout L ∶ V � an address a ∈ A V denotes the set of variables address of v is also called the memory location of v

Memory Layout Example Memory layout 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) p 9 array[3] 8 array[2] 7 array[1] 6 array[0] 5 S.y 4 S.x 3 var_c 2 var_b 1 var_a 0 } A program 8 *p=100; // var_c=100 7 int main() { 6 5 int *p=&var_c; 4 int array[4]; 3 struct { int x; int y; } S; 2 int var_a, var_b, var_c; 1 31 / 39

Pointers Deallocation releases previously allocated memory to the system 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) RAII garbage collector reference counting explicit Changes the memory layout Pointer a variable which points into memory Sometimes implicit Dynamic allocation allocation of memory during the life of a program Cannot be NULL Hides the actual pointer from the programmer Reference a restricted pointer used in higher level languages Explicitly used in low level languages Contains an address of a memory cell 32 / 39

Pointers Deallocation releases previously allocated memory to the system 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) RAII garbage collector reference counting explicit Changes the memory layout Pointer a variable which points into memory Sometimes implicit Dynamic allocation allocation of memory during the life of a program Cannot be NULL Hides the actual pointer from the programmer Reference a restricted pointer used in higher level languages Explicitly used in low level languages Contains an address of a memory cell 32 / 39

Pointers Deallocation releases previously allocated memory to the system 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) RAII garbage collector reference counting explicit Changes the memory layout Pointer a variable which points into memory Sometimes implicit Dynamic allocation allocation of memory during the life of a program Cannot be NULL Hides the actual pointer from the programmer Reference a restricted pointer used in higher level languages Explicitly used in low level languages Contains an address of a memory cell 32 / 39

Pointers Deallocation releases previously allocated memory to the system 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) RAII garbage collector reference counting explicit Changes the memory layout Pointer a variable which points into memory Sometimes implicit Dynamic allocation allocation of memory during the life of a program Cannot be NULL Hides the actual pointer from the programmer Reference a restricted pointer used in higher level languages Explicitly used in low level languages Contains an address of a memory cell 32 / 39

identifier any variable Simple Pointer Logic We consider only pointer, integer, or integer array Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 33 / 39 fla ∶ fla ∧ fla ∣ fla ∨ fla ∣ ( fla ) ∣ ¬ fla ∣ atom atom ∶ pointer = pointer ∣ term = term ∣ pointer < pointer ∣ term < term pointer ∶ pointer - identifier ∣ pointer + term ∣ ( pointer ) ∣ & identifier ∣ & ∗ pointer ∣ ∗ pointer ∣ NULL term ∶ identifier ∣ ∗ pointer ∣ term op term ∣ integer - constant ∣ identifier [ term ] op ∶ + ∣ − pointer - identifier pointer variable

Pointer Logic Formulas (Examples) Well-formed formulas 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) pointers can be wider No conversion between pointers and integers Pointer logic allows pointer arithmetic 34 / 39 Not well-formed formulas ∗( p + i ) = 1 p + i ∗( p + ∗ p ) = 0 p = i p = q ∧ ∗ p = 5 ∗( p + q ) ∗ 1 = 1 ∗ ∗ ∗ ∗ ∗ p = 1 p < q p < i

Semantics Semantics is given by reduction to linear integer arithmetic and array logic treated as array types Defjned recursively Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39 Assume a memory layout L and memory valuation M L P set of pointer logic expressions L D expressions of the logic of data words � . � ∶ L P → L D function which assigns a value � e � ∈ L D to each expression e ∈ L P

Semantics Semantics is given by reduction to linear integer arithmetic and array logic treated as array types Defjned recursively Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39 Assume a memory layout L and memory valuation M L P set of pointer logic expressions L D expressions of the logic of data words � . � ∶ L P → L D function which assigns a value � e � ∈ L D to each expression e ∈ L P

Semantics Semantics is given by reduction to linear integer arithmetic and array logic treated as array types Defjned recursively Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39 Assume a memory layout L and memory valuation M L P set of pointer logic expressions L D expressions of the logic of data words � . � ∶ L P → L D function which assigns a value � e � ∈ L D to each expression e ∈ L P

Semantics Semantics is given by reduction to linear integer arithmetic and array logic treated as array types Defjned recursively Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39 Assume a memory layout L and memory valuation M L P set of pointer logic expressions L D expressions of the logic of data words � . � ∶ L P → L D function which assigns a value � e � ∈ L D to each expression e ∈ L P

Semantics Semantics is given by reduction to linear integer arithmetic and array logic treated as array types Defjned recursively Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39 Assume a memory layout L and memory valuation M L P set of pointer logic expressions L D expressions of the logic of data words � . � ∶ L P → L D function which assigns a value � e � ∈ L D to each expression e ∈ L P

Semantics Semantics is given by reduction to linear integer arithmetic and array logic treated as array types Defjned recursively Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39 Assume a memory layout L and memory valuation M L P set of pointer logic expressions L D expressions of the logic of data words � . � ∶ L P → L D function which assigns a value � e � ∈ L D to each expression e ∈ L P

36 / 39 formulas 2019/20 (11th lecture) Decision Procedures and Verifjcation Petr Kučera (Charles University) integer constant variable pointer variables terms Recursive Defjnition of � e � � f 1 ∧ f 2 � ≔ � f 1 � ∧ � f 2 � � & v � ≔ L [ v ] � ¬ f � ≔ ¬ � f � � & ∗ p � ≔ � p � � p 1 = p 2 � ≔ � p 1 � = � p 2 � � NULL � ≔ 0 � v � ≔ M [ L [ v ]] � p 1 < p 2 � ≔ � p 1 � < � p 2 � � ∗ p � ≔ M [ � p � ] � t 1 = t 2 � ≔ � t 1 � = � t 2 � � t 1 < t 2 � ≔ � t 1 � < � t 2 � � t 1 op t 2 � ≔ � t 1 � op � t 2 � � p � ≔ M [ L [ p ]] � c � ≔ c � p + t � ≔ � p � + � t � � v [ t ] � ≔ M [ L [ v ] + � t � ] f , f 1 , f 2 v t , t 1 , t 2 c p , p 1 , p 2

Semantics — example original formula Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 37 / 39 Consider expression ∗( & a + 1 ) = a [ 1 ] with an array identifjer a . Then � ∗( & a + 1 ) = a [ 1 ] � ⇐ ⇒ � ∗( & a + 1 ) � = � a [ 1 ] � ⇐ ⇒ M [ � & a + 1 � ] = M [ L [ a ] + � 1 � ] ⇐ ⇒ M [ � & a � + � 1 � ] = M [ L [ a ] + 1 ] ⇐ ⇒ M [ L [ a ] + 1 ] = M [ L [ a ] + 1 ] The resulting formula is valid (satisfjed for any M , L ) and so is is the

Semantics — example original formula Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 37 / 39 Consider expression ∗( & a + 1 ) = a [ 1 ] with an array identifjer a . Then � ∗( & a + 1 ) = a [ 1 ] � ⇐ ⇒ � ∗( & a + 1 ) � = � a [ 1 ] � ⇐ ⇒ M [ � & a + 1 � ] = M [ L [ a ] + � 1 � ] ⇐ ⇒ M [ � & a � + � 1 � ] = M [ L [ a ] + 1 ] ⇐ ⇒ M [ L [ a ] + 1 ] = M [ L [ a ] + 1 ] The resulting formula is valid (satisfjed for any M , L ) and so is is the