Decision Procedures and Verifjcation NAIL094 Petr Kuera Charles - - PowerPoint PPT Presentation

Decision Procedures and Verifjcation

NAIL094 Petr Kučera

Charles University

2019/20 (11th lecture)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 1 / 39

Arrays

Motivation

1

int a[100];

2

for(int i=0; i<100; ++i) {

3

assert((∀j ∈ )[j < i → a[j] = 0]);

4

a[i]=0;

5

assert((∀j ∈ )[j ≤ i → a[j] = 0]);

6

}

7

assert((∀j ∈ )[j ≤ 99 → a[j] = 0]);

How to decide if the assertions hold? Key step The assertion on line follows from the assertion on line after executing line We need theory of arrays to decide the validity of this formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 3 / 39

Motivation

1

int a[100];

2

for(int i=0; i<100; ++i) {

3

assert((∀j ∈ )[j < i → a[j] = 0]);

4

a[i]=0;

5

assert((∀j ∈ )[j ≤ i → a[j] = 0]);

6

}

7

assert((∀j ∈ )[j ≤ 99 → a[j] = 0]);

How to decide if the assertions hold? Key step The assertion on line follows from the assertion on line after executing line We need theory of arrays to decide the validity of this formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 3 / 39

Motivation

1

int a[100];

2

for(int i=0; i<100; ++i) {

3

assert((∀j ∈ )[j < i → a[j] = 0]);

4

a[i]=0;

5

assert((∀j ∈ )[j ≤ i → a[j] = 0]);

6

}

7

assert((∀j ∈ )[j ≤ 99 → a[j] = 0]);

How to decide if the assertions hold? Key step The assertion on line 5 follows from the assertion on line 3 after executing line 4 (∀j ∈ )[j < i ⇒ a[j] = 0] ∧ a′ = a{i ← 0}

• ⇒ (∀j ∈ )[j ≤ i

⇒ a′[j] = 0] We need theory of arrays to decide the validity of this formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 3 / 39

Motivation

1

int a[100];

2

for(int i=0; i<100; ++i) {

3

assert((∀j ∈ )[j < i → a[j] = 0]);

4

a[i]=0;

5

assert((∀j ∈ )[j ≤ i → a[j] = 0]);

6

}

7

assert((∀j ∈ )[j ≤ 99 → a[j] = 0]);

How to decide if the assertions hold? Key step The assertion on line 5 follows from the assertion on line 3 after executing line 4 (∀j ∈ )[j < i ⇒ a[j] = 0] ∧ a′ = a{i ← 0}

• ⇒ (∀j ∈ )[j ≤ i

⇒ a′[j] = 0] We need theory of arrays to decide the validity of this formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 3 / 39

Arrays

A fundamental nonrecursive data type in programming languages

Also used to model memory in hardware

Deciding formulas with arrays necessary for software analysis Array is formalized as a map Index type described by index theory

Should allow quantifjcation e.g. linear arithmetic over integers (Presburger) with quantifjcation

Element type described by element theory Array theory combines index theory with element theory

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 4 / 39

Arrays

A fundamental nonrecursive data type in programming languages

Also used to model memory in hardware

Deciding formulas with arrays necessary for software analysis Array is formalized as a map Index type described by index theory

Should allow quantifjcation e.g. linear arithmetic over integers (Presburger) with quantifjcation

Element type described by element theory Array theory combines index theory with element theory

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 4 / 39

Arrays

A fundamental nonrecursive data type in programming languages

Also used to model memory in hardware

Deciding formulas with arrays necessary for software analysis Array a is formalized as a map a ∶ TI → TE Index type described by index theory

Should allow quantifjcation e.g. linear arithmetic over integers (Presburger) with quantifjcation

Element type described by element theory Array theory combines index theory with element theory

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 4 / 39

Arrays

A fundamental nonrecursive data type in programming languages

Also used to model memory in hardware

Deciding formulas with arrays necessary for software analysis Array a is formalized as a map a ∶ TI → TE Index type TI described by index theory I

Should allow quantifjcation e.g. linear arithmetic over integers (Presburger) with quantifjcation

Element type described by element theory Array theory combines index theory with element theory

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 4 / 39

Arrays

A fundamental nonrecursive data type in programming languages

Also used to model memory in hardware

Deciding formulas with arrays necessary for software analysis Array a is formalized as a map a ∶ TI → TE Index type TI described by index theory I

Should allow quantifjcation e.g. linear arithmetic over integers (Presburger) with quantifjcation

Element type TE described by element theory E Array theory combines index theory with element theory

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 4 / 39

Arrays

A fundamental nonrecursive data type in programming languages

Also used to model memory in hardware

Deciding formulas with arrays necessary for software analysis Array a is formalized as a map a ∶ TI → TE Index type TI described by index theory I

Should allow quantifjcation e.g. linear arithmetic over integers (Presburger) with quantifjcation

Element type TE described by element theory E Array theory TA combines index theory TI with element theory TE

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 4 / 39

Array Operations

Two basic operations on arrays Reading an element with index i from a a[i] denotes the value of element with index i Array index operator Writing an element with index denotes the where element at index was replaced by element Returns a new array with updated value Array update or array store operator

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 5 / 39

Array Operations

Two basic operations on arrays Reading an element with index i from a a[i] denotes the value of element with index i Array index operator Writing an element with index i a{i ← e} denotes the a where element at index i was replaced by element a Returns a new array with updated value Array update or array store operator

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 5 / 39

Syntax

Theory of arrays extends combination of the index theory I and the element theory E Denote termA terms special to theory of arrays A termI terms of the index theory I termE terms of the element theory E We add the following syntax rules to the rules of theories I and E termA ∶ array-identifier ∣ termA{termI ← termE} termE ∶ termA[termI] ∣ . . . fla ∶ termA = termA ∣ . . . The dots represent rules already present in the theories I and E

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 6 / 39

Semantics

We use the following axioms Array consistency (∀a1, a2 ∈ TA)(∀i,j ∈ TI) (a1 = a2 ∧ i = j) ⇒ a1[i] = a2[j] Read-over-write

• therwise

Extensionality rule

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 7 / 39

Semantics

We use the following axioms Array consistency (∀a1, a2 ∈ TA)(∀i,j ∈ TI) (a1 = a2 ∧ i = j) ⇒ a1[i] = a2[j] Read-over-write (∀a ∈ TA)(∀e ∈ TE)(∀i,j ∈ TI) a{i ← e}[j] = ⎧ ⎪ ⎪ ⎨ ⎪ ⎪ ⎩ e i = j a[j]

• therwise

Extensionality rule

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 7 / 39

Semantics

We use the following axioms Array consistency (∀a1, a2 ∈ TA)(∀i,j ∈ TI) (a1 = a2 ∧ i = j) ⇒ a1[i] = a2[j] Read-over-write (∀a ∈ TA)(∀e ∈ TE)(∀i,j ∈ TI) a{i ← e}[j] = ⎧ ⎪ ⎪ ⎨ ⎪ ⎪ ⎩ e i = j a[j]

• therwise

Extensionality rule (∀a1, a2 ∈ TA)(∀i ∈ TI) a1[i] = a2[i] ⇒ a1 = a2

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 7 / 39

Eliminating the Array Terms

Goal

Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions

Functional consistency captures the array consistency

Add constraints for the write operation

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39

Eliminating the Array Terms

Goal

Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions

Functional consistency captures the array consistency

Add constraints for the write operation

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39

Eliminating the Array Terms

Goal

Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions

Functional consistency captures the array consistency

Add constraints for the write operation

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39

Eliminating the Array Terms

Goal

Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions

Functional consistency captures the array consistency

Add constraints for the write operation

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39

Eliminating the Array Terms

Goal

Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions

Functional consistency captures the array consistency

Add constraints for the write operation

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39

Eliminating the Array Terms

Goal

Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions

Functional consistency captures the array consistency

Add constraints for the write operation

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39

Eliminating the Array Terms

Goal

Transform an array formula into an equisatisfjable formula in a combination of the index theory with the element theory Replace the arrays with uninterpreted functions

Functional consistency captures the array consistency

Add constraints for the write operation

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 8 / 39

Elimination the Array Terms — Example 1

Consider formula (i = j ∧ a[j] = 5) ⇒ a[i] = 5 After replacing with an uninterpreted function we get Which is a valid formula (in the theory of equality with uninterpreted functions)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 9 / 39

Elimination the Array Terms — Example 1

Consider formula (i = j ∧ a[j] = 5) ⇒ a[i] = 5 After replacing a with an uninterpreted function Fa we get (i = j ∧ Fa(j) = 5) ⇒ Fa(i) = 5 Which is a valid formula (in the theory of equality with uninterpreted functions)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 9 / 39

Elimination the Array Terms — Example 1

Consider formula (i = j ∧ a[j] = 5) ⇒ a[i] = 5 After replacing a with an uninterpreted function Fa we get (i = j ∧ Fa(j) = 5) ⇒ Fa(i) = 5 Which is a valid formula (in the theory of equality with uninterpreted functions)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 9 / 39

Elimination the Array Terms — Example 2

Consider formula a{i ← e}[i] ≥ e Introduce a new array and apply the write rule After replacing with an uninterpreted function Which is a valid formula (in LIA with UF)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 10 / 39

Elimination the Array Terms — Example 2

Consider formula a{i ← e}[i] ≥ e Introduce a new array a′ = a{i ← e} and apply the write rule a′[i] = e ⇒ a′[i] ≥ e After replacing with an uninterpreted function Which is a valid formula (in LIA with UF)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 10 / 39

Elimination the Array Terms — Example 2

Consider formula a{i ← e}[i] ≥ e Introduce a new array a′ = a{i ← e} and apply the write rule a′[i] = e ⇒ a′[i] ≥ e After replacing a′ with an uninterpreted function Fa′ Fa′(i) = e ⇒ Fa′(i) ≥ e Which is a valid formula (in LIA with UF)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 10 / 39

Elimination the Array Terms — Example 2

Consider formula a{i ← e}[i] ≥ e Introduce a new array a′ = a{i ← e} and apply the write rule a′[i] = e ⇒ a′[i] ≥ e After replacing a′ with an uninterpreted function Fa′ Fa′(i) = e ⇒ Fa′(i) ≥ e Which is a valid formula (in LIA with UF)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 10 / 39

Elimination the Array Terms — Example 3

Consider formula a[0] = 10 ⇒ a{1 ← 20}[0] = 10 Introduce a new array and apply write rule After replacing and with uninterpreted functions and Which is a valid formula (in LIA with UF)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 11 / 39

Elimination the Array Terms — Example 3

Consider formula a[0] = 10 ⇒ a{1 ← 20}[0] = 10 Introduce a new array a′ = a{i ← e} and apply write rule (a[0] = 10 ∧ a′[1] = 20 ∧ (∀j ≠ 1)[a′[j] = a[j]]) ⇒ a′[0] = 10 After replacing and with uninterpreted functions and Which is a valid formula (in LIA with UF)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 11 / 39

Elimination the Array Terms — Example 3

Consider formula a[0] = 10 ⇒ a{1 ← 20}[0] = 10 Introduce a new array a′ = a{i ← e} and apply write rule (a[0] = 10 ∧ a′[1] = 20 ∧ (∀j ≠ 1)[a′[j] = a[j]]) ⇒ a′[0] = 10 After replacing a and a′ with uninterpreted functions Fa and Fa′ (Fa(0) = 10 ∧ Fa′(1) = 20 ∧ (∀j ≠ 1)[Fa′(j) = Fa(j)]) ⇒ Fa′(0) = 10 Which is a valid formula (in LIA with UF)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 11 / 39

Elimination the Array Terms — Example 3

Consider formula a[0] = 10 ⇒ a{1 ← 20}[0] = 10 Introduce a new array a′ = a{i ← e} and apply write rule (a[0] = 10 ∧ a′[1] = 20 ∧ (∀j ≠ 1)[a′[j] = a[j]]) ⇒ a′[0] = 10 After replacing a and a′ with uninterpreted functions Fa and Fa′ (Fa(0) = 10 ∧ Fa′(1) = 20 ∧ (∀j ≠ 1)[Fa′(j) = Fa(j)]) ⇒ Fa′(0) = 10 Which is a valid formula (in LIA with UF)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 11 / 39

Decidability of Array Theory

Bad news array theory is undecidable Even if the combination of the index theory and the element theory is decidable Good news there are large fragments of array theory which are decidable Quantifjer-free fragment Array properties

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 12 / 39

Decidability of Array Theory

Bad news array theory is undecidable Even if the combination of the index theory and the element theory is decidable Good news there are large fragments of array theory which are decidable Quantifjer-free fragment Array properties

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 12 / 39

Decidability of Array Theory

Bad news array theory is undecidable Even if the combination of the index theory and the element theory is decidable Good news there are large fragments of array theory which are decidable Quantifjer-free fragment Array properties

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 12 / 39

Decidability of Array Theory

Bad news array theory is undecidable Even if the combination of the index theory and the element theory is decidable Good news there are large fragments of array theory which are decidable Quantifjer-free fragment Array properties

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 12 / 39

Decidability of Array Theory

Bad news array theory is undecidable Even if the combination of the index theory and the element theory is decidable Good news there are large fragments of array theory which are decidable Quantifjer-free fragment Array properties

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 12 / 39

Array Property

Restricts universal quantifjcation over array indices

Defjnition (Array property)

Array property is a formula of the form (∀i1, . . . ,ik)[ϕ(i1, . . . ,ik) ⇒ ψ(i1, . . . ,ik)] i1, . . . , ik is a list of index variables that can be used only in array read expressions of the form a[ij] ϕ is the index guard with a specifjc structure ψ is the value constraint

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 13 / 39

Index Guard

We assume linear arithmetic over integer as the index theory

Defjnition (Index Guard)

Structure of an index guard is described by the following grammar iguard ∶ iguard ∧ iguard ∣ iguard ∨ iguard ∣ iterm ≤ iterm ∣ iterm = iterm iterm ∶ i1 ∣ . . . ∣ ik ∣ term term ∶ integer-constant ∣ integer-constant ⋅ index-identifier ∣ term + term where index-identifjer used in term cannot be one of i1, . . . ,ik. No negation in the index guard

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 14 / 39

Array Properties

Extensionality arrays a and b are equal if all their elements are equal (∀i)[a[i] = b[i]] Sorted array array is sorted ifg Bounded array is sorted ifg Partitioned array values in part are not bigger than values in part

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 15 / 39

Array Properties

Extensionality arrays a and b are equal if all their elements are equal (∀i)[a[i] = b[i]] Sorted array array a is sorted ifg (∀i, j)[i ≤ j ⇒ a[i] ≤ a[j]] Bounded array a[l ∶ u] is sorted ifg (∀i, j)[l ≤ i ≤ j ≤ u ⇒ a[i] ≤ a[j]] Partitioned array values in part are not bigger than values in part

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 15 / 39

Array Properties

Extensionality arrays a and b are equal if all their elements are equal (∀i)[a[i] = b[i]] Sorted array array a is sorted ifg (∀i, j)[i ≤ j ⇒ a[i] ≤ a[j]] Bounded array a[l ∶ u] is sorted ifg (∀i, j)[l ≤ i ≤ j ≤ u ⇒ a[i] ≤ a[j]] Partitioned array values in part a[l1 ∶ u1] are not bigger than values in part a[l2 ∶ u2] (∀i,j)[l1 ≤ i ≤ u1 < l2 ≤ j ≤ u2 ⇒ a[i] ≤ a[j]]

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 15 / 39

Array Property Fragment

Defjnition (Array Property Fragment)

Array property fragment consists of boolean combinations of quantifjer free array formulas and array properties.

Example

(∀j)[j < i ⇒ a[j] = 0] ∧ a′ = a{i ← 0}

• ⇒ (∀j)[j ≤ i

⇒ a′[j] = 0]

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 16 / 39

Deciding Array Property Fragment

Algorithm 1: APF-DP

Step 1 Convert ϕ to NNF Step 2 Remove write terms using write rule Step 3 Replace each existential quantifjer (∃j)[ψ(j)] with ψ(k)

where k is a fresh variable

Step 4 Reduce universal quantifjcation to fjnite conjunction Step 5 Replace array read terms by uninterpreted functions Step 6 Decide the resulting (quantifjer-free) formula in index and

element theories with uninterpreted functions Transforming a formula into a NNF can change universal quantifjcation over indices into an existential quantifjcation

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 17 / 39

Running Example

We want to check the validity of (∀j)[j < i ⇒ a[j] = 0] ∧ a′ = a{i ← 0}

• ⇒ (∀j)[j ≤ i

⇒ a′[j] = 0] Which is the same as checking unsatisfjability of (∀j)[j < i ⇒ a[j] = 0] ∧ a′ = a{i ← 0} ∧ (∃j)[j ≤ i ∧ a′[j] ≠ 0]

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 18 / 39

Applying Write Rule

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Formula is not written as an array property

inequality is not allowed in the index guard

Can be rewritten in form of an array property as

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 19 / 39

Applying Write Rule

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Formula (∀j ≠ i)[a′[j] = a[j]] is not written as an array property

inequality is not allowed in the index guard

Can be rewritten in form of an array property as

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 19 / 39

Applying Write Rule

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Formula (∀j ≠ i)[a′[j] = a[j]] is not written as an array property

inequality is not allowed in the index guard

Can be rewritten in form of an array property as

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 19 / 39

Applying Write Rule

Write rule

Replace a{i ← e} with a new array variable a′ and add constraints

1 a′[i] = e for the written value 2 (∀j ≠ i)[a′[j] = a[j]] for the unchanged values

Formula (∀j ≠ i)[a′[j] = a[j]] is not written as an array property

inequality is not allowed in the index guard

Can be rewritten in form of an array property as (∀j)[(j ≤ i − 1 ∨ i + 1 ≤ j) ⇒ (a′[j] = a[j])]

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 19 / 39

Applying Write Rule to Example

Before the Write Rule (∀j)[j < i ⇒ a[j] = 0] ∧ a′ = a{i ← 0} ∧ (∃j)[j ≤ i ∧ a′[j] ≠ 0] After the Write Rule (∀j)[j < i ⇒ a[j] = 0] ∧ a′[i] = 0 ∧ (∀j ≠ i)[a′[j] = a[j]] ∧ (∃j)[j ≤ i ∧ a′[j] ≠ 0]

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 20 / 39

Eliminating Existential Quantifjcation

Replace each existential quantifjer (∃j)[ψ(j)] with ψ(k) where k is a fresh variable Such elimination is possible because the input formula is in NNF The fresh variable is implicitly existentially quantifjed, because we are checking satisfjability Before elimination (∀j)[j < i ⇒ a[j] = 0] ∧ a′[i] = 0 ∧ (∀j ≠ i)[a′[j] = a[j]] ∧ (∃j)[j ≤ i ∧ a′[j] ≠ 0] After elimination (∀j)[j < i ⇒ a[j] = 0] ∧ a′[i] = 0 ∧ (∀j ≠ i)[a′[j] = a[j]] ∧ k ≤ i ∧ a′[k] ≠ 0

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 21 / 39

Eliminating Universal Quantifjcation

Consider a formula ϕ which contains universal quantifjcation (∀i ∈ TI)[P(i)] Given a formula , determine set

• f index expressions that

might be possibly assigned to

1 Add all expressions used as an array index in

that are not quantifjed variables

2 Add all expressions used inside index guards in

that are not quantifjed variables

3 If

contains none of the above, is in order to obtain a nonempty set of index expressions

Replace universal quantifjcation with

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 22 / 39

Eliminating Universal Quantifjcation

Consider a formula ϕ which contains universal quantifjcation (∀i ∈ TI)[P(i)] Given a formula ϕ, determine set I(ϕ) of index expressions that might be possibly assigned to i

1 Add all expressions used as an array index in

that are not quantifjed variables

2 Add all expressions used inside index guards in

that are not quantifjed variables

3 If

contains none of the above, is in order to obtain a nonempty set of index expressions

Replace universal quantifjcation with

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 22 / 39

Eliminating Universal Quantifjcation

Consider a formula ϕ which contains universal quantifjcation (∀i ∈ TI)[P(i)] Given a formula ϕ, determine set I(ϕ) of index expressions that might be possibly assigned to i

1 Add all expressions used as an array index in ϕ that are not

quantifjed variables

2 Add all expressions used inside index guards in

that are not quantifjed variables

3 If

contains none of the above, is in order to obtain a nonempty set of index expressions

Replace universal quantifjcation with

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 22 / 39

Eliminating Universal Quantifjcation

Consider a formula ϕ which contains universal quantifjcation (∀i ∈ TI)[P(i)] Given a formula ϕ, determine set I(ϕ) of index expressions that might be possibly assigned to i

1 Add all expressions used as an array index in ϕ that are not

quantifjed variables

2 Add all expressions used inside index guards in ϕ that are not

quantifjed variables

3 If

contains none of the above, is in order to obtain a nonempty set of index expressions

Replace universal quantifjcation with

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 22 / 39

Eliminating Universal Quantifjcation

Consider a formula ϕ which contains universal quantifjcation (∀i ∈ TI)[P(i)] Given a formula ϕ, determine set I(ϕ) of index expressions that might be possibly assigned to i

1 Add all expressions used as an array index in ϕ that are not

quantifjed variables

2 Add all expressions used inside index guards in ϕ that are not

quantifjed variables

3 If ϕ contains none of the above, I is {0} in order to obtain a

nonempty set of index expressions

Replace universal quantifjcation with

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 22 / 39

Eliminating Universal Quantifjcation

Consider a formula ϕ which contains universal quantifjcation (∀i ∈ TI)[P(i)] Given a formula ϕ, determine set I(ϕ) of index expressions that might be possibly assigned to i

1 Add all expressions used as an array index in ϕ that are not

quantifjed variables

2 Add all expressions used inside index guards in ϕ that are not

quantifjed variables

3 If ϕ contains none of the above, I is {0} in order to obtain a

nonempty set of index expressions

Replace universal quantifjcation with

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 22 / 39

Eliminating Universal Quantifjcation

Consider a formula ϕ which contains universal quantifjcation (∀i ∈ TI)[P(i)] Given a formula ϕ, determine set I(ϕ) of index expressions that might be possibly assigned to i

1 Add all expressions used as an array index in ϕ that are not

quantifjed variables

2 Add all expressions used inside index guards in ϕ that are not

quantifjed variables

3 If ϕ contains none of the above, I is {0} in order to obtain a

nonempty set of index expressions

Replace universal quantifjcation (∀i ∈ TI)[P(i)] with ⋀

i∈I(ϕ)

P(i)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 22 / 39

Eliminating Universal Quantifjcation — Example

Before elimination (∀j)[j < i ⇒ a[j] = 0] ∧ a′[i] = 0 ∧ (∀j ≠ i)[a′[j] = a[j]] ∧ k ≤ i ∧ a′[k] ≠ 0 Set

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 23 / 39

Eliminating Universal Quantifjcation — Example

Before elimination (∀j)[j < i ⇒ a[j] = 0] ∧ a′[i] = 0 ∧ (∀j)[(j ≠ i) ⇒ a′[j] = a[j]] ∧ k ≤ i ∧ a′[k] ≠ 0 Set I(ϕ) = {i, k}

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 23 / 39

Eliminating Universal Quantifjcation — Example

Before elimination (∀j)[j < i ⇒ a[j] = 0] ∧ a′[i] = 0 ∧ (∀j)[(j ≠ i) ⇒ a′[j] = a[j]] ∧ k ≤ i ∧ a′[k] ≠ 0 After elimination i < i ⇒ a[i] = 0 ∧ k < i ⇒ a[k] = 0 ∧ a′[i] = 0 ∧ i ≠ i ⇒ a′[i] = a[i] ∧ k ≠ i ⇒ a′[k] = a[k] ∧ k ≤ i ∧ a′[k] ≠ 0 Set I(ϕ) = {i, k}

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 23 / 39

Eliminating Universal Quantifjcation — Example

Before elimination (∀j)[j < i ⇒ a[j] = 0] ∧ a′[i] = 0 ∧ (∀j)[(j ≠ i) ⇒ a′[j] = a[j]] ∧ k ≤ i ∧ a′[k] ≠ 0 Removed trivial implications k < i ⇒ a[k] = 0 ∧ a′[i] = 0 ∧ k ≠ i ⇒ a′[k] = a[k] ∧ k ≤ i ∧ a′[k] ≠ 0 Set I(ϕ) = {i, k}

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 23 / 39

Replace Arrays With Uninterpreted Functions

Before replacement k < i ⇒ a[k] = 0 ∧ a′[i] = 0 ∧ k ≠ i ⇒ a′[k] = a[k] ∧ k ≤ i ∧ a′[k] ≠ 0 After replacement k < i ⇒ Fa(k) = 0 ∧ Fa′(i) = 0 ∧ k ≠ i ⇒ Fa′(k) = Fa(k) ∧ k ≤ i ∧ Fa′(k) ≠ 0

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 24 / 39

Check Satisfjability

k < i ⇒ Fa(k) = 0 ∧ Fa′(i) = 0 ∧ k ≠ i ⇒ Fa′(k) = Fa(k) ∧ k ≤ i ∧ Fa′(k) ≠ 0 We have that If , then and

contradiction

If , then , , and

contradiction

The formula is unsatisfjable (and the original formula is valid)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 25 / 39

Check Satisfjability

k < i ⇒ Fa(k) = 0 ∧ Fa′(i) = 0 ∧ k ≠ i ⇒ Fa′(k) = Fa(k) ∧ k ≤ i ∧ Fa′(k) ≠ 0 We have that k ≤ i If , then and

contradiction

If , then , , and

contradiction

The formula is unsatisfjable (and the original formula is valid)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 25 / 39

Check Satisfjability

k < i ⇒ Fa(k) = 0 ∧ Fa′(i) = 0 ∧ k ≠ i ⇒ Fa′(k) = Fa(k) ∧ k ≤ i ∧ Fa′(k) ≠ 0 We have that k ≤ i If k = i, then Fa′(i) = 0 and Fa′(i) ≠ 0

• ⇒ contradiction

If , then , , and

contradiction

The formula is unsatisfjable (and the original formula is valid)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 25 / 39

Check Satisfjability

k < i ⇒ Fa(k) = 0 ∧ Fa′(i) = 0 ∧ k ≠ i ⇒ Fa′(k) = Fa(k) ∧ k ≤ i ∧ Fa′(k) ≠ 0 We have that k ≤ i If k = i, then Fa′(i) = 0 and Fa′(i) ≠ 0

• ⇒ contradiction

If k < i, then Fa(k) = 0, Fa′(k) = Fa(k) = 0, and Fa′(k) ≠ 0

• ⇒ contradiction

The formula is unsatisfjable (and the original formula is valid)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 25 / 39

Check Satisfjability

k < i ⇒ Fa(k) = 0 ∧ Fa′(i) = 0 ∧ k ≠ i ⇒ Fa′(k) = Fa(k) ∧ k ≤ i ∧ Fa′(k) ≠ 0 We have that k ≤ i If k = i, then Fa′(i) = 0 and Fa′(i) ≠ 0

• ⇒ contradiction

If k < i, then Fa(k) = 0, Fa′(k) = Fa(k) = 0, and Fa′(k) ≠ 0

• ⇒ contradiction

The formula is unsatisfjable (and the original formula is valid)

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 25 / 39

Closing Remarks

Theory of arrays is not needed for bounds checking

We need to argue only about indices and the array sizes

Reduction can be done lazily

Useful for using as part of DPLL(T).

Multidimensional-arrays — combination of one-dimensional arrays

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 26 / 39

Pointer logic

Motivation

1

int a[10];

2

int i;

3 4

void array_sum(int *sum) {

5

*sum=0;

6

for(i=0; i<10; ++i) {

7

*sum+=a[i];

8

}

9

}

Is the code correct and safe? What if sum is NULL (zero address)? What if sum=&i (the address of i)?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 28 / 39

Motivation

1

int a[10];

2

int i;

3 4

void array_sum(int *sum) {

5

*sum=0;

6

for(i=0; i<10; ++i) {

7

*sum+=a[i];

8

}

9

}

Is the code correct and safe? What if sum is NULL (zero address)? What if sum=&i (the address of i)?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 28 / 39

Motivation

1

int a[10];

2

int i;

3 4

void array_sum(int *sum) {

5

*sum=0;

6

for(i=0; i<10; ++i) {

7

*sum+=a[i];

8

}

9

}

Is the code correct and safe? What if sum is NULL (zero address)? What if sum=&i (the address of i)?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 28 / 39

Motivation

1

int a[10];

2

int i;

3 4

void array_sum(int *sum) {

5

*sum=0;

6

for(i=0; i<10; ++i) {

7

*sum+=a[i];

8

}

9

}

Is the code correct and safe? What if sum is NULL (zero address)? What if sum=&i (the address of i)?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 28 / 39

Motivation

1

int *p, *q; // uninitialized pointer variables

2

p=new int[10]; // p points to a newly allocated array

3

q=&p[3]; // p points to the 3rd element of p

4

delete[] p; // array p is released

5

*q=2; // accessing the 3rd element of array p

The last line accesses array p which was already released! How to detect such bug?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 29 / 39

Motivation

1

int *p, *q; // uninitialized pointer variables

2

p=new int[10]; // p points to a newly allocated array

3

q=&p[3]; // p points to the 3rd element of p

4

delete[] p; // array p is released

5

*q=2; // accessing the 3rd element of array p

The last line accesses array p which was already released! How to detect such bug?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 29 / 39

Motivation

1

int *p, *q; // uninitialized pointer variables

2

p=new int[10]; // p points to a newly allocated array

3

q=&p[3]; // p points to the 3rd element of p

4

delete[] p; // array p is released

5

*q=2; // accessing the 3rd element of array p

The last line accesses array p which was already released! How to detect such bug?

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 29 / 39

Memory Model and Layout

Memory model determines how the memory cells are addressed We assume an address space A which is a subinterval of {0,1, . . . ,N − 1} Each address identifjes a memory cell that can store a single data word The set of data words is denoted by D Memory valuation M ∶ A → D is a mapping from a set of adresses A into domain D of data words Memory layout L ∶ V → A is a mapping from each variable v ∈ V to an address a ∈ A V denotes the set of variables address of v is also called the memory location of v

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 30 / 39

Memory Model and Layout

Memory model determines how the memory cells are addressed We assume an address space A which is a subinterval of {0,1, . . . ,N − 1} Each address identifjes a memory cell that can store a single data word The set of data words is denoted by D Memory valuation M ∶ A → D is a mapping from a set of adresses A into domain D of data words Memory layout L ∶ V → A is a mapping from each variable v ∈ V to an address a ∈ A V denotes the set of variables address of v is also called the memory location of v

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 30 / 39

Memory Model and Layout

Memory model determines how the memory cells are addressed We assume an address space A which is a subinterval of {0,1, . . . ,N − 1} Each address identifjes a memory cell that can store a single data word The set of data words is denoted by D Memory valuation M ∶ A → D is a mapping from a set of adresses A into domain D of data words Memory layout L ∶ V → A is a mapping from each variable v ∈ V to an address a ∈ A V denotes the set of variables address of v is also called the memory location of v

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 30 / 39

Memory Layout Example

A program

1

int var_a, var_b, var_c;

2

struct { int x; int y; } S;

3

int array[4];

4

int *p=&var_c;

5 6

int main() {

7

*p=100; // var_c=100

8

}

Memory layout var_a 0 var_b 1 var_c 2 S.x 3 S.y 4 array[0] 5 array[1] 6 array[2] 7 array[3] 8 p 9

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 31 / 39

Pointers

Pointer a variable which points into memory Contains an address of a memory cell Explicitly used in low level languages Reference a restricted pointer used in higher level languages Hides the actual pointer from the programmer Cannot be NULL Dynamic allocation allocation of memory during the life of a program Sometimes implicit Changes the memory layout Deallocation releases previously allocated memory to the system explicit reference counting garbage collector RAII

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 32 / 39

Pointers

Pointer a variable which points into memory Contains an address of a memory cell Explicitly used in low level languages Reference a restricted pointer used in higher level languages Hides the actual pointer from the programmer Cannot be NULL Dynamic allocation allocation of memory during the life of a program Sometimes implicit Changes the memory layout Deallocation releases previously allocated memory to the system explicit reference counting garbage collector RAII

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 32 / 39

Pointers

Pointer a variable which points into memory Contains an address of a memory cell Explicitly used in low level languages Reference a restricted pointer used in higher level languages Hides the actual pointer from the programmer Cannot be NULL Dynamic allocation allocation of memory during the life of a program Sometimes implicit Changes the memory layout Deallocation releases previously allocated memory to the system explicit reference counting garbage collector RAII

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 32 / 39

Pointers

Pointer a variable which points into memory Contains an address of a memory cell Explicitly used in low level languages Reference a restricted pointer used in higher level languages Hides the actual pointer from the programmer Cannot be NULL Dynamic allocation allocation of memory during the life of a program Sometimes implicit Changes the memory layout Deallocation releases previously allocated memory to the system explicit reference counting garbage collector RAII

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 32 / 39

Simple Pointer Logic

fla ∶ fla ∧ fla ∣ fla ∨ fla ∣ (fla) ∣ ¬fla ∣ atom atom ∶ pointer = pointer ∣ term = term ∣ pointer < pointer ∣ term < term pointer ∶ pointer-identifier ∣ pointer + term ∣ (pointer) ∣ &identifier ∣ & ∗ pointer ∣ ∗pointer ∣ NULL term ∶ identifier ∣ ∗pointer ∣ term op term ∣ integer-constant ∣ identifier[term]

• p ∶ + ∣ −

pointer-identifier pointer variable identifier any variable We consider only pointer, integer, or integer array

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 33 / 39

Pointer Logic Formulas (Examples)

Well-formed formulas

∗(p + i) = 1 ∗(p + ∗p) = 0 p = q ∧ ∗p = 5 ∗ ∗ ∗ ∗ ∗p = 1 p < q

Not well-formed formulas

p + i p = i ∗(p + q) ∗1 = 1 p < i Pointer logic allows pointer arithmetic No conversion between pointers and integers

pointers can be wider

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 34 / 39

Semantics

Semantics is given by reduction to linear integer arithmetic and array logic Assume a memory layout L and memory valuation M

treated as array types

LP set of pointer logic expressions LD expressions of the logic of data words

. ∶ LP → LD function which assigns a value e ∈ LD to each

expression e ∈ LP Defjned recursively

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39

Semantics

Semantics is given by reduction to linear integer arithmetic and array logic Assume a memory layout L and memory valuation M

treated as array types

LP set of pointer logic expressions LD expressions of the logic of data words

. ∶ LP → LD function which assigns a value e ∈ LD to each

expression e ∈ LP Defjned recursively

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39

Semantics

Semantics is given by reduction to linear integer arithmetic and array logic Assume a memory layout L and memory valuation M

treated as array types

LP set of pointer logic expressions LD expressions of the logic of data words

. ∶ LP → LD function which assigns a value e ∈ LD to each

expression e ∈ LP Defjned recursively

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39

Semantics

Semantics is given by reduction to linear integer arithmetic and array logic Assume a memory layout L and memory valuation M

treated as array types

LP set of pointer logic expressions LD expressions of the logic of data words

. ∶ LP → LD function which assigns a value e ∈ LD to each

expression e ∈ LP Defjned recursively

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39

Semantics

Semantics is given by reduction to linear integer arithmetic and array logic Assume a memory layout L and memory valuation M

treated as array types

LP set of pointer logic expressions LD expressions of the logic of data words

. ∶ LP → LD function which assigns a value e ∈ LD to each

expression e ∈ LP Defjned recursively

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39

Semantics

Semantics is given by reduction to linear integer arithmetic and array logic Assume a memory layout L and memory valuation M

treated as array types

LP set of pointer logic expressions LD expressions of the logic of data words

. ∶ LP → LD function which assigns a value e ∈ LD to each

expression e ∈ LP Defjned recursively

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 35 / 39

Recursive Defjnition of e

f1 ∧ f2 ≔ f1 ∧ f2 ¬ f ≔ ¬ f p1 = p2 ≔ p1 = p2 p1 < p2 ≔ p1 < p2 t1 = t2 ≔ t1 = t2 t1 < t2 ≔ t1 < t2 p ≔ M[L[p]] p + t ≔ p + t

f , f1, f2 formulas t, t1, t2 terms p, p1, p2 pointer variables

&v ≔ L[v] & ∗ p ≔ p NULL ≔ 0 v ≔ M[L[v]] ∗p ≔ M[p] t1 op t2 ≔ t1 op t2 c ≔ c v[t] ≔ M[L[v] + t]

v variable c integer constant

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 36 / 39

Semantics — example

Consider expression ∗(&a + 1) = a[1] with an array identifjer a. Then

∗(&a + 1) = a[1] ⇐

⇒ ∗(&a + 1) = a[1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[L[a] + 1] = M[L[a] + 1] The resulting formula is valid (satisfjed for any M, L) and so is is the

• riginal formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 37 / 39

Semantics — example

Consider expression ∗(&a + 1) = a[1] with an array identifjer a. Then

∗(&a + 1) = a[1] ⇐

⇒ ∗(&a + 1) = a[1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[L[a] + 1] = M[L[a] + 1] The resulting formula is valid (satisfjed for any M, L) and so is is the

• riginal formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 37 / 39

Semantics — example

Consider expression ∗(&a + 1) = a[1] with an array identifjer a. Then

∗(&a + 1) = a[1] ⇐

⇒ ∗(&a + 1) = a[1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[L[a] + 1] = M[L[a] + 1] The resulting formula is valid (satisfjed for any M, L) and so is is the

• riginal formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 37 / 39

Semantics — example

Consider expression ∗(&a + 1) = a[1] with an array identifjer a. Then

∗(&a + 1) = a[1] ⇐

⇒ ∗(&a + 1) = a[1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[L[a] + 1] = M[L[a] + 1] The resulting formula is valid (satisfjed for any M, L) and so is is the

• riginal formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 37 / 39

Semantics — example

Consider expression ∗(&a + 1) = a[1] with an array identifjer a. Then

∗(&a + 1) = a[1] ⇐

⇒ ∗(&a + 1) = a[1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[L[a] + 1] = M[L[a] + 1] The resulting formula is valid (satisfjed for any M, L) and so is is the

• riginal formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 37 / 39

Semantics — example

Consider expression ∗(&a + 1) = a[1] with an array identifjer a. Then

∗(&a + 1) = a[1] ⇐

⇒ ∗(&a + 1) = a[1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[&a + 1] = M[L[a] + 1] ⇐ ⇒ M[L[a] + 1] = M[L[a] + 1] The resulting formula is valid (satisfjed for any M, L) and so is is the

• riginal formula

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 37 / 39

Decision procedure for simple pointer logic

The semantic translates formulas into formulas of data words theory with arrays Decision procedure:

1 Given a formula

in simple pointer logic

2 Compute 3 Use decision procedure for data words logic with arrays to decide

satisfjability

Data words logic can be e.g.

linear arithmetic over integers + arrays bit vectors + arrays

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 38 / 39

Decision procedure for simple pointer logic

The semantic translates formulas into formulas of data words theory with arrays Decision procedure:

1 Given a formula ϕ in simple pointer logic 2 Compute ψ = ϕ 3 Use decision procedure for data words logic with arrays to decide

satisfjability ψ

Data words logic can be e.g.

linear arithmetic over integers + arrays bit vectors + arrays

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 38 / 39

Decision procedure for simple pointer logic

The semantic translates formulas into formulas of data words theory with arrays Decision procedure:

1 Given a formula ϕ in simple pointer logic 2 Compute ψ = ϕ 3 Use decision procedure for data words logic with arrays to decide

satisfjability ψ

Data words logic can be e.g.

linear arithmetic over integers + arrays bit vectors + arrays

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 38 / 39

Memory Model Assumptions

On most architectures we can assume that

No variable has address NULL No two difgerent variables and have overlapping memory Naturally generalizes to a situation where and span more than a single data word

We can add these assumptions as axioms to the theory

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 39 / 39

Memory Model Assumptions

On most architectures we can assume that

No variable x has address 0 &x ≠ NULL No two difgerent variables and have overlapping memory Naturally generalizes to a situation where and span more than a single data word

We can add these assumptions as axioms to the theory

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 39 / 39

Memory Model Assumptions

On most architectures we can assume that

No variable x has address 0 &x ≠ NULL No two difgerent variables x and y have overlapping memory x ≠ y ⇒ &x ≠ &y Naturally generalizes to a situation where and span more than a single data word

We can add these assumptions as axioms to the theory

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 39 / 39

Memory Model Assumptions

On most architectures we can assume that

No variable x has address 0 &x ≠ NULL No two difgerent variables x and y have overlapping memory x ≠ y ⇒ &x ≠ &y Naturally generalizes to a situation where x and y span more than a single data word

We can add these assumptions as axioms to the theory

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 39 / 39

Memory Model Assumptions

On most architectures we can assume that

No variable x has address 0 &x ≠ NULL No two difgerent variables x and y have overlapping memory x ≠ y ⇒ &x ≠ &y Naturally generalizes to a situation where x and y span more than a single data word

We can add these assumptions as axioms to the theory

Petr Kučera (Charles University) Decision Procedures and Verifjcation 2019/20 (11th lecture) 39 / 39