Decision Procedures for Automating Termination Proofs Ruzica - - PowerPoint PPT Presentation

decision procedures for automating termination proofs
SMART_READER_LITE
LIVE PREVIEW

Decision Procedures for Automating Termination Proofs Ruzica - - PowerPoint PPT Presentation

Mar 30, 2023 207 likes •490 views

Decision Procedures for Automating Termination Proofs Ruzica Piskac, EPFL Thomas Wies, IST Austria Proving Program Termination assum sume x > 0 le x 0 do while do y := 1 while y < x do do y := 2 y end x := x 1 end Ranking

slide-1
SLIDE 1

Decision Procedures for Automating Termination Proofs

Ruzica Piskac, EPFL Thomas Wies, IST Austria

slide-2
SLIDE 2

Proving Program Termination

Ranking function into the natural numbers: Construction of global ranking functions is difficult (to automate)!

assum sume x > 0 while le x ¸ 0 do do y := 1 while y < x do do y := 2y end x := x – 1 end

slide-3
SLIDE 3

Automating Termination Proofs

Proof techniques based on local ranking functions

  • Size-change principle [Lee, Jones, Ben-Amram 2001]
  • Transition invariants [Podelski, Rybalchenko 2004]

Idea

  • decompose program into simpler ones
  • prove each simple program terminating independently

Use decision procedures for well-founded domains to automate these tasks  Terminator [Cook, Podelski, Rybalchenko 2006]

slide-4
SLIDE 4

Proving Program Termination

Ranking function into a lexicographically ordered set: Decomposition into linear ranking functions is not always possible!

assum sume x > 0 while le x ¸ 0 do do y := 1 while y < x do do y := 2y end x := x – 1 end

We need decision procedures for more powerful well-founded orderings. This talk: decision procedures for multiset orderings

slide-5
SLIDE 5

Counting Leaves in a Tree

prog CountLeaves(root : Tree) : int = var S : Stack[Tree] = root var c : int = 0 do y := head(S) if leaf (y) then S := tail(S) c := c + 1 else S := left(y) ¢ right(y) ¢ tail(S) until S = ² return c

a b c d d d e e e e e e e

S : a

slide-6
SLIDE 6

Counting Leaves in a Tree

prog CountLeaves(root : Tree) : int = var S : Stack[Tree] = root var c : int = 0 do y := head(S) if leaf (y) then S := tail(S) c := c + 1 else S := left(y) ¢ right(y) ¢ tail(S) until S = ² return c

a b c d d d e e e e e e e

S : e ¢ e ¢ c

Ranking function for loop: Consider S as a multiset of trees with subtree ordering.

slide-7
SLIDE 7

Multisets

1 2 3 4 2 2 3

X

base set multiplicity

Operations are defined point-wise:

finite multisets

slide-8
SLIDE 8

Multiset Orderings

2 3 1 2 3 4 2 2 3

X

1 2 3 5 5 1

Y

Extend ordering ¹ on base set to ordering ¹m on multisets

slide-9
SLIDE 9

4 2 2 3

X

Multiset Orderings

2 3 1 2 3 5 5 1

Y

X n Y Y n X

¹m well-founded iff ¹ well-founded [Dershowitz, Manna 1979]

Extend ordering ¹ on base set to ordering ¹m on multisets

slide-10
SLIDE 10

Counting Leaves in a Tree

a b c d d d e e e e e e e

Termination Condition for Loop: ext extens ension ion of

  • f sub

subtre tree relat elatio ion to to Multis iset ets

Vali lid! d!

Is satisfiability of multiset ordering constraints decidable?

slide-11
SLIDE 11

Main Results

  • 1. If T0 is decidable then so is its multiset extension.
  • 2. If T0 is decidable in NP then so is its multiset extension.
  • 3. Decision procedure is easily implementable using
  • ff-the-shelf SMT solvers.

Let T0 be a base theory of a preordered set. Examples for T0 − theory of all preordered sets − theory of linear integer arithmetic − theory of a term algebra (trees) with subterm relation

slide-12
SLIDE 12

Decision Procedure through an Example

X0 = (X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

Un Unsatisfia atisfiable ble! X Y X’ Y’

slide-13
SLIDE 13

Step 1: Flattening

X0 = (X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

Introduce fresh variables for all non-variable subterms

X0 = X1 ] Y 0 ^ X1 = X n Y ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

1

slide-14
SLIDE 14

Step 2: Reduction

X0 = (X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

Replace multiset operations by their pointwise definitions

(8x: X0(x) = X1(x) + Y 0(x)) ^ (8x: X1(x) = maxfX(x) ¡ Y (x); 0g) ^ (8x: Y (x) · X(x)) ^ (9y:Y 0(y) 6= Y (y)) ^ (8y0: Y (y0) < Y 0(y0) ! 9y: Y 0(y) < Y (y) ^ y0 ¹ y) ^ ((8x:X0(x) = X(x)) _ (9x0: X(x0) < X0(x0) ^ 8x: X0(x) < X0(x) ! :(x0 ¹ x)))

X0 = X1 ] Y 0 ^ X1 = X n Y ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

1 2

slide-15
SLIDE 15

Step 3: Skolemization

X0 = (X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

Skolemize all existential quantifiers

(8x: X0(x) = X1(x) + Y 0(x)) ^ (8x: X1(x) = maxfX(x) ¡ Y (x); 0g) ^ (8x: Y (x) · X(x)) ^ (9y:Y 0(y) 6= Y (y)) ^ (8y0: Y (y0) < Y 0(y0) ! 9y: Y 0(y) < Y (y) ^ y0 ¹ y) ^ ((8x:X0(x) = X(x)) _ (9x0: X(x0) < X0(x0) ^ 8x: X0(x) < X0(x) ! :(x0 ¹ x)))

X0 = X1 ] Y 0 ^ X1 = X n Y ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

1 2,3

slide-16
SLIDE 16

Step 3: Skolemization

X0 = (X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

Skolemize all existential quantifiers

(8x: X0(x) = X1(x) + Y 0(x)) ^ (8x: X1(x) = maxfX(x) ¡ Y (x); 0g) ^ (8x: Y (x) · X(x)) ^ (9y:Y 0(y) 6= Y (y)) ^ (8y0: Y (y0) < Y 0(y0) ! 9y: Y 0(y) < Y (y) ^ y0 ¹ y) ^ ( (8x:X0(x) = X(x)) _ ( 9x0: X(x0) < X0(x0) ^ 8x: X0(x) < X0(x) ! :(x0 ¹ x)))

X0 = X1 ] Y 0 ^ X1 = X n Y ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

1 2,3

(8x: X0(x) = X1(x) + Y 0(x)) ^ (8x: X1(x) = maxfX(x) ¡ Y (x); 0g) ^ (8x: Y (x) · X(x)) ^ (Y 0(c1) 6= Y (c1)) ^ (8y0: Y (y0) < Y 0(y0) ! Y 0(w(y0)) < Y (w(y0)) ^ y0 ¹ w(y0)) ^ ((8x:X0(x) = X(x)) _ (X(c2) < X0(c2) ^ 8x: X0(x) < X0(x) ! :(c2 ¹ x)))

witness function

slide-17
SLIDE 17

Step 4: Strengthening

X0 = (X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

Add additional axioms constraining the witness functions

(8x: X0(x) = X1(x) + Y 0(x)) ^ (8x: X1(x) = maxfX(x) ¡ Y (x); 0g) ^ (8x: Y (x) · X(x)) ^ (9y:Y 0(y) 6= Y (y)) ^ (8y0: Y (y0) < Y 0(y0) ! 9y: Y 0(y) < Y (y) ^ y0 ¹ y) ^ ( (8x:X0(x) = X(x)) _ ( 9x0: X(x0) < X0(x0) ^ 8x: X0(x) < X0(x) ! :(x0 ¹ x)))

X0 = X1 ] Y 0 ^ X1 = X n Y ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

1 2,3,4

(8x: X0(x) = X1(x) + Y 0(x)) ^ (8x: X1(x) = maxfX(x) ¡ Y (x); 0g) ^ (8x: Y (x) · X(x)) ^ (Y 0(c1) 6= Y (c1)) ^ (8y0: Y (y0) < Y 0(y0) ! Y 0(w(y0)) < Y (w(y0)) ^ y0 ¹ w(y0)) ^ ((8x:X0(x) = X(x)) _ (X(c2) < X0(c2) ^ 8x: X0(x) < X0(x) ! :(c2 ¹ x))) ^ F(Y; Y 0; w)

slide-18
SLIDE 18

Y 0(c1) 6= Y (c1) ^ X0(c1) = X(c1) ^ X0(c1) = X(c1) ¡ Y (c1) + Y 0(c1)_ X0(c2) = X(c2) ¡ Y (c2) + Y 0(c2) ^ X(c2) < X0(c2) ^ Y (c2) ¸ Y 0(c2) _ X0(w(c2)) = X(w(c2)) ¡ Y (w(c2)) + Y 0(w(c2)) ^ Y 0(w(c2)) < Y (w(c2)) ^ X0(w(c2)) ¸ X(w(c2)) _ c2 ¹ w(c2) ^ :(c2 ¹ w(c2)) (8x: X0(x) = X1(x) + Y 0(x)) ^ (8x: X1(x) = maxfX(x) ¡ Y (x); 0g) ^ (8x: Y (x) · X(x)) ^ (Y 0(c1) 6= Y (c1)) ^ (8y0: Y (y0) < Y 0(y0) ! Y 0(w(y0)) < Y (w(y0)) ^ y0 ¹ w(y0)) ^ ((8x:X0(x) = X(x)) _ (X(c2) < X0(c2) ^ 8x: X0(x) < X0(x) ! :(c2 ¹ x))) ^ F(Y; Y 0; w)

Step 5: Instantiation

X0 = (X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

Instantiate universal quantifiers with ground terms

X0 = X1 ] Y 0 ^ X1 = X n Y ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

1

Ins nstantiate tantiate w with th c1; c2; w(c1); w(c2)

2,3,4

slide-19
SLIDE 19

Step 5: Instantiation

X0 = (X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

Instantiate universal quantifiers with ground terms

X0 = X1 ] Y 0 ^ X1 = X n Y ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

1 2,3,4, 5

Y 0(c1) 6= Y (c1) ^ X0(c1) = X(c1) ^ X0(c1) = X(c1) ¡ Y (c1) + Y 0(c1) _ X0(c2) = X(c2) ¡ Y (c2) + Y 0(c2) ^ X(c2) < X0(c2) ^ Y (c2) ¸ Y 0(c2) _ X0(w(c2)) = X(w(c2)) ¡ Y (w(c2)) + Y 0(w(c2)) ^ Y 0(w(c2)) < Y (w(c2)) ^ X0(w(c2)) ¸ X(w(c2)) _ c2 ¹ w(c2) ^ :(c2 ¹ w(c2))

slide-20
SLIDE 20

Step 6: Check Satisfiability

X0 = (X n Y ) ] Y 0 ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

Call decision procedure for base theory + LIA + EUF

X0 = X1 ] Y 0 ^ X1 = X n Y ^ Y µ X ^ Y 0 Ám Y ^ :(X0 Ám X)

1 2,3,4, 5

Y 0(c1) 6= Y (c1) ^ X0(c1) = X(c1) ^ X0(c1) = X(c1) ¡ Y (c1) + Y 0(c1)_ X0(c2) = X(c2) ¡ Y (c2) + Y 0(c2) ^ X(c2) < X0(c2) ^ Y (c2) ¸ Y 0(c2) _ X0(w(c2)) = X(w(c2)) ¡ Y (w(c2)) + Y 0(w(c2)) ^ Y 0(w(c2)) < Y (w(c2)) ^ X0(w(c2)) ¸ X(w(c2)) _ c2 ¹ w(c2) ^ :(c2 ¹ w(c2))

Un Unsatisfia atisfiable ble! Un Unsatisfiable atisfiable! Un Unsatisfiable atisfiable! Un Unsatisfia atisfiable ble! Un Unsatisfia atisfiable ble!

slide-21
SLIDE 21

model of F base set

values of base set ground terms in F

X

N

Completeness of Finite Instantiation

Functions representing multisets are sort restricted

w

but witness functions are not!

F: multiset ordering constraint after Skolemization

Additional axioms bound witness functions!

finite

slide-22
SLIDE 22

Axioms for Witness Functions

X Y

X n Y Y n X

w

  • nly map to
  • max. elements!

Axioms are designed specifically to guarantee NP complexity bound.

slide-23
SLIDE 23

ti

Completeness of Instantiation

F : formula obtained after strengthening, M : model of F n : number of witness functions in F tm  tm-1  …  t0 of length m > n in M t1 = w0(t0) t2 = w1(t1) … tm = wm-1(tm-1) tj tj+1 ti+1

X n Y Y n X

Á Á Á w w

Strict chains can have at most length n!

then for some w, i, j : 0 · i < j < m and w = wi = wj

slide-24
SLIDE 24

model of F base set

values of base set ground terms of F

X

N

Completeness of Finite Instantiation

F: multiset ordering constraint

Instantiate quantifiers with terms constructed from ground terms of F by applying each witness function at most once.

Size of the instantiated formula is exponential in number of witness functions!

w finite polynomial

slide-25
SLIDE 25

Complexity

F : formula obtained after strengthening, M : model of F n : number of witness functions, m : number of ground terms in F tk  tk-1  …  t0 : maximal strict chain of witness terms in M t1 = w0(t0) t2 = w1(t1) … tk = wk-1(tk-1) tj tj+1 t0 Á Á wj wj

If the base theory is decidable in NP then so is its multiset extension Guess polynomially many strict chains. Then instantiate!

slide-26
SLIDE 26

POSSUM Multisets over Preordered Sets

top-level formulas: F ::= A j F ^ F j :F A ::= M = M j M µ M j M ¹m M j Aelem j K = K j K · K j F 8 M ::= X j ; j ftKg j M \ M j M [ M j M ] M j M n M j set(M) K ::= k j C j K + K j C ¢ K restricted quanti¯ed formulas: F 8 ::= 8x : elem:F 8 j 8x : elem:Fin Fin ::= Ain j Fin ^ Fin j :Fin Ain ::= tin · tin j tin=tin j ein ¹ ein j ein=ein tin ::= X(ein) j C j tin + tin j C ¢ tin ein ::= x j t terminals: X - multiset ; k - integer variable; C - integer constant t - ground §elem-term of sort elem; x - variable of sort elem Aelem - ground §elem-atom

If the base theory is decidable in NP then so is its POSSUM extension

slide-27
SLIDE 27

Related Work

  • Dershowitz, Manna 1979: Multiset orderings for termination proofs
  • Zarba 2002: Multisets + linear integer arithmetic is decidable in NP
  • Piskac, Kuncak 2008: Multisets + cardinality constraints are decidable

in NP

  • Kuncak, Piskac, Suter 2010: Sets over total orders + cardinality

constraints are decidable in NP

  • Nieuwenhuis 1993: Lexicographic path orderings decidable in NP
  • Narendran, Rusinowitch, Verma 1998: Recursive path orderings

decidable in NP

  • Baader, Nipkow 1998: Term Rewriting and All That
  • Zhang, Sipma, Manna 2005: Knuth-Bendix orderings decidable in NP
  • Bradley, Manna, Sipma 2006: What’s decidable about arrays?
  • Sofronie-Stokkermans 2005: Local theory extensions
  • Ihlemann, Jacobs, Sofronie-Stokkermans 2008: Psi-local theory

extensions

slide-28
SLIDE 28

Conclusion

New logic for reasoning about multisets over preordered sets (POSSUM)

  • interesting applications: automating termination proofs
  • parameterized by base theory
  • decidable if base theory is decidable
  • good complexity (NP complete for many base theories)
  • implementation of decision procedure with
  • ff-the-shelf SMT-solvers possible